# SARE Header Abuse Ruleset for SpamAssassin -- file 1 # Version: 01.03.21 # Created: 2004-04-25 # Modified: 2006-05-21 # Usage instructions and documentation in 70_sare_header0.cf # Full Revision History / Change Log in 70_sare_header.log #@@# 01.03.20 May 20 2005 #@@# Minor score updates based on additional mass-check #@@# Modified "rule has been moved" meta flags #@@# Archived from file 1 SARE_FROM_SPAM_DOMN0 #@@# Archived from file 1 SARE_HEAD_HDR_ALTREC #@@# Archived from file 1 SARE_HEAD_HDR_XBBOUNC #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL2 #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL4 #@@# Archived from file 1 SARE_HEAD_HDR_XMEBDOM #@@# Archived from file 1 SARE_HEAD_HDR_XWTID #@@# Archived from file 1 SARE_HEAD_HDR_XWTVERS #@@# Archived from file 1 SARE_HEAD_ORIG_RECIP #@@# Archived from file 1 SARE_RECV_IP_195229 #@@# Moved file 0 to file 1 SARE_FREE_WEBM_EsTerra #@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A #@@# Moved file 0 to file 1 SARE_HEAD_DATE46 #@@# Moved file 0 to file 1 SARE_HEAD_HDR_XEMAIL #@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID #@@# Moved file 0 to file 1 SARE_RECV_IP_063106130 #@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD #@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR #@@# Moved file 1 to file 0 SARE_RECV_IP_209190 #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI #@@# Moved file 1 to file 2 SARE_RECV_IP_062023 #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157 #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154 #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152 #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE #@@# Moved file 1 to file 2 SARE_XMAIL_GDI #@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L #@@# Moved file 1 to file 3 SARE_HEAD_XWORD #@@# Moved file 1 to file 3 SARE_RECV_IP_063106130 #@@# Moved file 1 to file 3 SARE_RECV_IP_064034 #@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL #@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL #@@# Moved from file 1 to 3 SARE_FROM_DVDCOPY #@@# Moved from file 1 to 3 SARE_RECV_FREESERVE #@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID #@@# Returned file 1 to file 0 SARE_RECV_IP_163125 #@@# Returned file 2 to file 1 SARE_RECV_IP_142046 #@@# 01.03.21 May 21 2005 #@@# Minor repairs to "downgraded rule" metas. # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Bob Menschel - RMSA@Menschel.net # Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf ######## ###################### ################################################## # Component rules used within meta rules ######## ###################### ################################################## header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ ######## ###################### ################################################## # Meta rules used to prevent --lint errors after moving/changing rules ######## ###################### ################################################## meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM meta SARE_FREE_WEBM_CZSEZNA __SARE_HEAD_FALSE meta SARE_FROM_MULTI_DASH __SARE_HEAD_FALSE meta SARE_HEAD_DATE18 __SARE_HEAD_FALSE meta SARE_MSGID_LONG40 __SARE_HEAD_FALSE meta SARE_MSGID_LONG55 __SARE_HEAD_FALSE meta SARE_MULT_VIA_FWCATS __SARE_HEAD_FALSE meta SARE_RECV_IP_064080 __SARE_HEAD_FALSE meta SARE_RECV_ISWEST __SARE_HEAD_FALSE meta SARE_FROM_AMERICA __SARE_HEAD_FALSE meta SARE_MSGID_06D6 __SARE_HEAD_FALSE meta SARE_RECV_IP_212164 __SARE_HEAD_FALSE meta SARE_BOUNDARY_MULTB __SARE_HEAD_FALSE meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE meta SARE_FROM_PRINTER __SARE_HEAD_FALSE meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE meta SARE_HELO_SERVER __SARE_HEAD_FALSE meta SARE_MSGID_LONG35 __SARE_HEAD_FALSE meta SARE_MSGID_LONG65 __SARE_HEAD_FALSE meta SARE_MSGID_LONG75 __SARE_HEAD_FALSE meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE meta SARE_RECV_SUSP_3 __SARE_HEAD_FALSE meta SARE_XMAIL_XMAIL __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XEMGBMS __SARE_HEAD_FALSE meta SARE_HEAD_XCANIT1 __SARE_HEAD_FALSE meta SARE_HEAD_XCANIT2 __SARE_HEAD_FALSE meta SARE_MSGID_SPAM_DOMN0 __SARE_HEAD_FALSE meta SARE_MSGID_SUSP2 __SARE_HEAD_FALSE meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE meta SARE_RECV_IP_211049 __SARE_HEAD_FALSE meta SARE_RECV_RND_NUMBER __SARE_HEAD_FALSE meta SARE_FROM_NONAME __SARE_HEAD_FALSE meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE meta SARE_HEAD_XCOM_RFCMIN __SARE_HEAD_FALSE meta SARE_RECV_IP_080178 __SARE_HEAD_FALSE meta SARE_XMAIL_SUSP3 __SARE_HEAD_FALSE meta SARE_MSGID_DBL_AT __SARE_HEAD_FALSE meta SARE_FREE_WEBM_USACOPS __SARE_HEAD_FALSE meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE meta SARE_HEAD_HDR_ALTREC __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XLEGAL2 __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XMEBDOM __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE meta SARE_HEAD_ORIG_RECIP __SARE_HEAD_FALSE meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XLISTAD __SARE_HEAD_FALSE meta SARE_HEAD_MSMPR_RNDSTR __SARE_HEAD_FALSE meta SARE_RECV_IP_209190 __SARE_HEAD_FALSE meta SARE_HEAD_DATE_RNDDATE __SARE_HEAD_FALSE meta SARE_HEAD_HDR_MSGTYPE __SARE_HEAD_FALSE meta SARE_HEAD_HDR_X400RCV __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XCNDINF __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE meta SARE_HEAD_HDR_XSAFMMI __SARE_HEAD_FALSE meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE meta SARE_RECV_IP_065205157 __SARE_HEAD_FALSE meta SARE_RECV_IP_066248154 __SARE_HEAD_FALSE meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE meta SARE_RECV_RND_DATE __SARE_HEAD_FALSE meta SARE_XMAIL_GDI __SARE_HEAD_FALSE meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE meta SARE_HEAD_XWORD __SARE_HEAD_FALSE meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE meta SARE_RECV_IP_064034 __SARE_HEAD_FALSE meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE meta SARE_RECV_FREESERVE __SARE_HEAD_FALSE ##################################################################################### # SARE Header-Exists rules ######## ###################### ################################################## header SARE_HEAD_HDR_APPROV exists:Approved describe SARE_HEAD_HDR_APPROV Message headers used which identify spam score SARE_HEAD_HDR_APPROV 0.166 #hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed #counts SARE_HEAD_HDR_APPROV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #counts SARE_HEAD_HDR_APPROV 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_APPROV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_APPROV 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam score SARE_HEAD_HDR_DISCREC 0.772 #ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov #counts SARE_HEAD_HDR_DISCREC 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #counts SARE_HEAD_HDR_DISCREC 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_DISCREC 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_DISCREC 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_HEAD_HDR_XEMAIL exists:X-EMail describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam score SARE_HEAD_HDR_XEMAIL 1.666 #ham SARE_HEAD_HDR_XEMAIL confirmed (several, one source) #counts SARE_HEAD_HDR_XEMAIL 221s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XEMAIL 78s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XEMAIL 458s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_XEMAIL 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 header SARE_HEAD_HDR_XENC exists:X-ENC describe SARE_HEAD_HDR_XENC Message headers used which identify spam score SARE_HEAD_HDR_XENC 0.872 #stype SARE_HEAD_HDR_XENC spamp #hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004 #counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XENC 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 #counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XENC 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header __HAS_RCVD exists:Received header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers score SARE_HEAD_HDR_XIDKEY 1.666 #ham SARE_HEAD_HDR_XIDKEY verified (4) #hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004 #counts SARE_HEAD_HDR_XIDKEY 30s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XIDKEY 232s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_HEAD_HDR_XIDKEY 104s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_HEAD_HDR_XIDKEY 367s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_XIDKEY 859s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header __SARE_HEAD_HDR_XLEGAL exists:X-Legal header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam score SARE_HEAD_HDR_XLEGAL1 1.666 #stype SARE_HEAD_HDR_XLEGAL1 spamgg #hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_HEAD_HDR_XLEGAL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam score SARE_HEAD_HDR_XLEGAL3 1.666 #stype SARE_HEAD_HDR_XLEGAL3 spamgg #hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005 #counts SARE_HEAD_HDR_XLEGAL3 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 header SARE_HEAD_HDR_XMAILID exists:X-Mailid describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam score SARE_HEAD_HDR_XMAILID 1.666 #ham SARE_HEAD_HDR_XMAILID confirmed #counts SARE_HEAD_HDR_XMAILID 248s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #counts SARE_HEAD_HDR_XMAILID 4s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMAILID 5s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam score SARE_HEAD_HDR_XMLRSRV 0.555 #ham SARE_HEAD_HDR_XMLRSRV verified (1) #counts SARE_HEAD_HDR_XMLRSRV 2s/5h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMLRSRV 84s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XRESPID exists:X-Response-ID describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam score SARE_HEAD_HDR_XRESPID 0.528 #ham SARE_HEAD_HDR_XRESPID confirmed (1) #counts SARE_HEAD_HDR_XRESPID 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XRESPID 18s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XRESPID 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA describe SARE_HEAD_HDR_XSIDPRA fingerprint score SARE_HEAD_HDR_XSIDPRA 0.616 #ham SARE_HEAD_HDR_XSIDPRA confirmed #hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005 #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XSIDPRA 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_XSIDPRA 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result describe SARE_HEAD_HDR_XSIDRES fingerprint score SARE_HEAD_HDR_XSIDRES 0.616 #ham SARE_HEAD_HDR_XSIDRES confirmed #hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005 #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XSIDRES 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_HDR_XSIDRES 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 ##################################################################################### # SARE Content-Type and Boundary rules ######## ###################### ################################################## header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/ describe SARE_BOUNDARY_05 Content type boundary used in spam score SARE_BOUNDARY_05 1.666 #stype SARE_BOUNDARY_05 vbggg #hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005 #counts SARE_BOUNDARY_05 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 #counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_BOUNDARY_05 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_BOUNDARY_05 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i describe SARE_BOUNDARY_06 Content type boundary used in spam score SARE_BOUNDARY_06 1.666 #stype SARE_BOUNDARY_06 vbggg #hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004 #hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005 #counts SARE_BOUNDARY_06 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s describe SARE_BOUNDARY_08 Improbable MIME boundary format score SARE_BOUNDARY_08 1.666 #hist SARE_BOUNDARY_08 LW_BOUNDARY1 #ham SARE_BOUNDARY_08 ServiceMagic , 2001 #ham SARE_BOUNDARY_08 verizon wireless picture phone transmission #counts SARE_BOUNDARY_08 613s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_BOUNDARY_08 38s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_08 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_BOUNDARY_08 826s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_BOUNDARY_08 243s/2h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/ describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus score SARE_BOUNDARY_D10 0.444 #ham SARE_BOUNDARY_D10 verified (1) #hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004 #counts SARE_BOUNDARY_D10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_BOUNDARY_D10 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_BOUNDARY_D10 5s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/ describe SARE_BOUNDARY_LC Content type boundary used in spam score SARE_BOUNDARY_LC 1.666 #ham SARE_BOUNDARY_LC questionable newsletters #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004 #ham SARE_BOUNDARY_LC "ffff": Game Rival , ThePerfectGreeting #counts SARE_BOUNDARY_LC 0s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_BOUNDARY_LC 44s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_LC 0s/1h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_BOUNDARY_LC 15s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/ describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses score SARE_BOUNDARY_NP2 4.000 #stype SARE_BOUNDARY_NP2 vbg #hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004 #hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004 #counts SARE_BOUNDARY_NP2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 #counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 ##################################################################################### # SARE From Rules ######## ###################### ################################################## header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/ describe SARE_FROM_AST Invalid character in email address score SARE_FROM_AST 0.666 #hist SARE_FROM_AST Originally submitted by Fred Tarasevicius #hist SARE_FROM_AST Returned from file 2 to file 1 Oct 2005 #counts SARE_FROM_AST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address score SARE_FROM_CAPS_MSN 0.828 #ham SARE_FRMO_CAPS_MSN verified (3) #hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004 #counts SARE_FROM_CAPS_MSN 18s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 #counts SARE_FROM_CAPS_MSN 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_FROM_CAPS_MSN 28s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_FROM_CAPS_MSN 61s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_FROM_CAPS_MSN 28s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i describe SARE_FROM_DRUGS2 From a drug score SARE_FROM_DRUGS2 0.644 #ham SARE_FROM_DRUGS2 verified (3) #hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma #counts SARE_FROM_DRUGS2 1s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_FROM_DRUGS2 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #max SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 #counts SARE_FROM_DRUGS2 20s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_FROM_DRUGS2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0 header __SARE_FROM_NONAME From =~ /"" ?/ describe SARE_MSGID_QMAIL1 Contains spoofing message id score SARE_MSGID_QMAIL1 0.056 #ham SARE_MSGID_QMAIL1 confirmed #hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004 #counts SARE_MSGID_QMAIL1 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 #counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_QMAIL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i! describe SARE_MSGID_RATWARE2 Message-Id is score SARE_MSGID_RATWARE2 0.639 #hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800 #matches SARE_MSGID_RATWARE2 numbers.numbers@letters #counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04 #counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/ describe SARE_MSGID_SHORT Message ID is too short to be valid. score SARE_MSGID_SHORT 0.856 #hist SARE_MSGID_SHORT RM_hm_ShortMsgid6 #counts SARE_MSGID_SHORT 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 #counts SARE_MSGID_SHORT 16s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_MSGID_SHORT 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_MSGID_SHORT 18s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_MSGID_SHORT 28s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 ##################################################################################### # SARE Received Header Rules ######## ###################### ################################################## header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/ score SARE_HELO_EQ_DSL_3 1.022 #ham SARE_HELO_EQ_DSL_3 confirmed (several) #hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005 #counts SARE_HELO_EQ_DSL_3 232s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HELO_EQ_DSL_3 51s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_HELO_EQ_DSL_3 23s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_HELO_EQ_DSL_3 22s/2h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HELO_EQ_DSL_3 84s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HELO_EQ_DSL_3 117s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i score SARE_HELO_EQ_PPPOE 0.555 #stype SARE_HELO_EQ_PPPOE spamp #hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005 #counts SARE_HELO_EQ_PPPOE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HELO_EQ_PPPOE 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i describe SARE_HELO_YAHOO Received header has spamsign score SARE_HELO_YAHOO 0.828 #ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552) #hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004 #counts SARE_HELO_YAHOO 41s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_HELO_YAHOO 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/ describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header score SARE_HEAD_8BIT_RECV 1.666 #ham SARE_HEAD_8BIT_RECV verified (1) #hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243 #counts SARE_HEAD_8BIT_RECV 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_8BIT_RECV 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 #counts SARE_HEAD_8BIT_RECV 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_HEAD_8BIT_RECV 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_8BIT_RECV 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_FEP5 Received =~ /by fep5\./i describe SARE_RECV_FEP5 Message contains known spam format score SARE_RECV_FEP5 1.666 #ham SARE_RECV_FEP5 verified (1) #counts SARE_RECV_FEP5 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 #counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_RECV_FEP5 27s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_FEP5 208s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_FEP5 72s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/ describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer score SARE_RECV_MDNETCOMBR 0.756 #counts SARE_RECV_MDNETCOMBR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source score SARE_RECV_PATMEDIA 0.964 #stype SARE_RECV_PATMEDIA spamp #hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004 #counts SARE_RECV_PATMEDIA 10s/19h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_PATMEDIA 15s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_PATMEDIA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_PATMEDIA 93s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_PATMEDIA 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header score SARE_RECV_PORTHELO_1 1.666 #note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically. #note SARE_RECV_PORTHELO_1 We score them based on their "safety". #hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005 #counts SARE_RECV_PORTHELO_1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_PORTHELO_1 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_RECV_PORTHELO_1 116s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_PORTHELO_1 0s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #max SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 #counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05 #counts SARE_RECV_PORTHELO_1 230s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 score SARE_RECV_PORTHELO_2 2.000 #counts SARE_RECV_PORTHELO_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 score SARE_RECV_PORTHELO_3 2.222 #counts SARE_RECV_PORTHELO_3 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_PORTHELO_3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain score SARE_RECV_SKANOVA 0.660 #ham SARE_RECV_SKANOVA verified (several) #hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004 #counts SARE_RECV_SKANOVA 37s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SKANOVA 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_SKANOVA 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 #counts SARE_RECV_SKANOVA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_RECV_SKANOVA 43s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SKANOVA 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/ describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain score SARE_RECV_SPAM_DOMN02 1.666 #ham SARE_RECV_SPAM_DOMN02 Confirmed (5) #counts SARE_RECV_SPAM_DOMN02 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_SPAM_DOMN02 168s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_RECV_SPAM_DOMN02 17s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_SPAM_DOMN02 60s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_SPAM_DOMN02 631s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPAM_DOMN02 194s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/ describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain score SARE_RECV_SPAM_DOMN04 0.772 #ham SARE_RECV_SPAM_DOMN04 verified (3) #counts SARE_RECV_SPAM_DOMN04 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_SPAM_DOMN04 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source score SARE_RECV_SPAM_DOMN06 0.678 #ham SARE_RECV_SPAM_DOMN06 verified (1) #hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004 #counts SARE_RECV_SPAM_DOMN06 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SPAM_DOMN06 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_SPAM_DOMN06 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_SPAM_DOMN06 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_SPAM_DOMN06 27s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPAM_DOMN06 15s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/ describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain score SARE_RECV_SPAM_DOMN0a 0.917 #ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE #hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005 #counts SARE_RECV_SPAM_DOMN0a 28s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_RECV_SPAM_DOMN0a 19s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_SPAM_DOMN0a 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_SPAM_DOMN0a 8s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/ describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain score SARE_RECV_SPAM_DOMN0b 1.666 #ham SARE_RECV_SPAM_DOMN0b confirmed (many) #counts SARE_RECV_SPAM_DOMN0b 1272s/39h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SPAM_DOMN0b 809s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_SPAM_DOMN0b 25s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_SPAM_DOMN0b 43s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_SPAM_DOMN0b 600s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPAM_DOMN0b 399s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/ describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain score SARE_RECV_SPEEDY_AR 0.808 #ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" , Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89]) #counts SARE_RECV_SPEEDY_AR 60s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_SPEEDY_AR 10s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_SPEEDY_AR 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_SPEEDY_AR 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_SPEEDY_AR 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_SPEEDY_AR 51s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source score SARE_RECV_UK2NET2 0.917 #hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004 #counts SARE_RECV_UK2NET2 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #counts SARE_RECV_UK2NET2 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_RECV_UK2NET2 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_RECV_UK2NET2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_UK2NET2 7s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/ describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer score SARE_RECV_VIRTUACOMBR 1.193 #ham SARE_RECV_VIRTUACOMBR confirmed (4) #hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr #counts SARE_RECV_VIRTUACOMBR 32s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_VIRTUACOMBR 36s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_VIRTUACOMBR 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_VIRTUACOMBR 25s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_VIRTUACOMBR 193s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_VIRTUACOMBR 63s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 ##################################################################################### # SARE Received Header IP Address Rules ######## ###################### ################################################## #eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/ header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/ header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/ header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/ header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/ header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/ header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/ meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6 describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer score SARE_RECV_BEZEQINT_B 0.763 #ham SARE_RECV_BEZEQINT_B verified (4) #hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT #counts SARE_RECV_BEZEQINT_B 23s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_BEZEQINT_B 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_BEZEQINT_B 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_BEZEQINT_B 38s/2h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_BEZEQINT_B 20s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address score SARE_RECV_IP_FROMIP1 1.666 #hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED #ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank #counts SARE_RECV_IP_FROMIP1 598s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_FROMIP1 186s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_FROMIP1 18s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_IP_FROMIP1 81s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_FROMIP1 173s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_FROMIP1 730s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address score SARE_RECV_IP_FROMIP3 0.711 #match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500 #ham SARE_RECV_IP_FROMIP3 Messages from a cell phone #hist SARE_RECV_IP_FROMIP3 From Fred , Fri, 2 Apr 2004, RE_hrip_IPfromIPc #counts SARE_RECV_IP_FROMIP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_FROMIP3 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_RECV_IP_FROMIP3 1s/4h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_IP_FROMIP3 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_FROMIP3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_FROMIP3 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_061050 Spam passed through possible spammer relay score SARE_RECV_IP_061050 1.544 #ham SARE_RECV_IP_061050 confirmed (2) #counts SARE_RECV_IP_061050 66s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_061050 62s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_061050 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_061050 7s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_061050 23s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_061050 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_061072 Passed through possible spammer relay or source score SARE_RECV_IP_061072 1.592 #note SARE_RECV_IP_061072 Korea Telecom #hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004 #ham SARE_RECV_IP_061072 verified (1) #counts SARE_RECV_IP_061072 42s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_061072 61s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_061072 11s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_061072 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_RECV_IP_061072 177s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_061072 33s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_061187 Passed through possible spammer relay or source score SARE_RECV_IP_061187 0.694 #hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004 #counts SARE_RECV_IP_061187 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05 #counts SARE_RECV_IP_061187 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 #counts SARE_RECV_IP_061187 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_061187 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_061187 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_061187 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_061190 Spam passed through possible spammer relay score SARE_RECV_IP_061190 1.111 #stype SARE_RECV_IP_061190 spamp #hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004 #counts SARE_RECV_IP_061190 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_061190 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_061190 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_IP_061190 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_061190 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_061190 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_061228 Spam passed through possible spammer relay score SARE_RECV_IP_061228 0.895 #ham SARE_RECV_IP_061228 verified (1) #counts SARE_RECV_IP_061228 229s/8h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_061228 140s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_061228 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_061228 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_061228 85s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_061228 80s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/ describe SARE_RECV_IP_066017 Passed through possible spammer relay or source score SARE_RECV_IP_066017 0.637 #ham SARE_RECV_IP_066017 confirmed (8) #note SARE_RECV_IP_066017 Yipes Communications Inc #hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004 #counts SARE_RECV_IP_066017 16s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_066017 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_066017 61s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05 #max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_066017 52s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/ describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay score SARE_RECV_IP_066165224 1.278 #ham SARE_RECV_IP_066165224 confirmed: 3 #hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005 #note SARE_RECV_IP_066165224 Cyber World Internet Services #counts SARE_RECV_IP_066165224 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 #counts SARE_RECV_IP_066165224 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_066165224 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 #counts SARE_RECV_IP_066165224 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/ describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay score SARE_RECV_IP_069050210 0.700 #ham SARE_RECV_IP_069050210 confirmed (2) #hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005 #counts SARE_RECV_IP_069050210 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_069050210 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_069050210 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #max SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 #counts SARE_RECV_IP_069050210 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/ describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay score SARE_RECV_IP_069060096 1.666 #ham SARE_RECV_IP_069060096 verified (1) #hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005 #counts SARE_RECV_IP_069060096 112s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_069060096 11s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_RECV_IP_069060096 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_069060096 409s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_069060096 166s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #counts SARE_RECV_IP_069060096 368s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/ describe SARE_RECV_IP_082080 Spam passed through possible spammer relay score SARE_RECV_IP_082080 1.111 #stype SARE_RECV_IP_082080 spamp #counts SARE_RECV_IP_082080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_082080 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_082080 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/ describe SARE_RECV_IP_082102 Spam passed through possible spammer relay score SARE_RECV_IP_082102 0.555 #stype SARE_RECV_IP_082102 spamp #hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004 #counts SARE_RECV_IP_082102 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_082102 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_IP_082102 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_082102 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_082102 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_082154 Passed through possible spammer relay or source score SARE_RECV_IP_082154 1.666 #ham SARE_RECV_IP_082154 confirmed (1) #hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004 #counts SARE_RECV_IP_082154 256s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_082154 62s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_082154 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_082154 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_082154 231s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_082154 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_083028 Passed through possible spammer relay or source score SARE_RECV_IP_083028 1.666 #ham SARE_RECV_IP_083028 verified (1) #hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004 #note SARE_RECV_IP_083028 Large block of IP addresses in Poland #counts SARE_RECV_IP_083028 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_083028 157s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_083028 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_RECV_IP_083028 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_083028 42s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_083028 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_140117 Passed through possible spammer relay or source score SARE_RECV_IP_140117 0.690 #ham SARE_RECV_IP_140117 confirmed (1) #hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004 #note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan #counts SARE_RECV_IP_140117 26s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_140117 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_140117 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #counts SARE_RECV_IP_140117 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_140117 22s/4h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_140117 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/ describe SARE_RECV_IP_142046 Passed through possible spammer relay or source score SARE_RECV_IP_142046 0.555 #stype SARE_RECV_IP_142046 spamp #hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info #counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 #counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_142046 5s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 #counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 #counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/ describe SARE_RECV_IP_192116 Passed through possible spammer relay or source score SARE_RECV_IP_192116 0.861 #note SARE_RECV_IP_192116 GILAT-SATCOM #hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004 #counts SARE_RECV_IP_192116 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 #counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_RECV_IP_192116 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_200150 Spam passed through possible spammer relay score SARE_RECV_IP_200150 0.612 #ham SARE_RECV_IP_200150 confirmed (2) #hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004 #counts SARE_RECV_IP_200150 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_200150 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_200150 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #counts SARE_RECV_IP_200150 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_200150 14s/5h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_200150 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/ describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay score SARE_RECV_IP_203210128 0.959 #ham SARE_RECV_IP_203210128 verified (3) #hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005 #note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT) #counts SARE_RECV_IP_203210128 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_203210128 43s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_203210128 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_203210128 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_203210128 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_203210128 116s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/ describe SARE_RECV_IP_203177 Passed through possible spammer relay or source score SARE_RECV_IP_203177 0.772 #hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004 #ham SARE_RECV_IP_203177 verified (1) #counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 #counts SARE_RECV_IP_203177 23s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_203177 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_203177 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_203177 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/ describe SARE_RECV_IP_206131 Spam passed through possible spammer relay score SARE_RECV_IP_206131 1.666 #ham SARE_RECV_IP_206131 confirmed (1) #hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info #note SARE_RECV_IP_206131 Minerva Network Systems, Inc. #counts SARE_RECV_IP_206131 54s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_206131 692s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 #counts SARE_RECV_IP_206131 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_206131 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_206131 1699s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_206131 31s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/ describe SARE_RECV_IP_209051 Spam passed through possible spammer relay score SARE_RECV_IP_209051 1.111 #stype SARE_RECV_IP_209051 spamp #hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005 #note SARE_RECV_IP_209051 S-INFOTECH, Inc. #counts SARE_RECV_IP_209051 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_RECV_IP_209051 22s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_209051 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #counts SARE_RECV_IP_209051 1s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/ describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay score SARE_RECV_IP_216118120 2.222 #hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005 #counts SARE_RECV_IP_216118120 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_RECV_IP_216118120 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_211216 Passed through possible spammer relay or source score SARE_RECV_IP_211216 0.978 #stype SARE_RECV_IP_211216 max:1.000 #ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator #hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004 #note SARE_RECV_IP_211216 Korea Telecom #note SARE_RECV_IP_211216 Score kept low to avoid FPs for naver.com #counts SARE_RECV_IP_211216 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_211216 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_211216 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_211216 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_211216 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_211216 14s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/ describe SARE_RECV_IP_212068 Spam passed through possible spammer relay score SARE_RECV_IP_212068 1.111 #stype SARE_RECV_IP_212068 spamp #hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004 #counts SARE_RECV_IP_212068 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_212068 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_IP_212068 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_212068 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_212068 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_216022 Spam passed through possible spammer relay score SARE_RECV_IP_216022 1.666 #hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005 #counts SARE_RECV_IP_216022 270s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_216022 196s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_216022 554s/6h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_216022 212s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #counts SARE_RECV_IP_216022 307s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_218070 Spam passed through possible spammer relay score SARE_RECV_IP_218070 1.111 #stype SARE_RECV_IP_218070 spamp #counts SARE_RECV_IP_218070 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04 #counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_218070 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_RECV_IP_218070 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_218070 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_218072 Spam passed through possible spammer relay score SARE_RECV_IP_218072 0.813 #hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004 #counts SARE_RECV_IP_218072 87s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_RECV_IP_218072 13s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_218072 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_218072 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_218072 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_218072 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_218078 Passed through possible spammer relay or source score SARE_RECV_IP_218078 1.666 #hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004 #ham SARE_RECV_IP_218078 confirmed (1) #note SARE_RECV_IP_218078 ChinaNet, Shanghai Province #counts SARE_RECV_IP_218078 34s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 #counts SARE_RECV_IP_218078 51s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_218078 136s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_IP_218078 53s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_218078 67s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_218078 58s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_218088 Passed through possible spammer relay or source score SARE_RECV_IP_218088 1.100 #ham SARE_RECV_IP_218088 confirmed: 1 #note SARE_RECV_IP_218088 CHINANET sichuan province network #hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004 #counts SARE_RECV_IP_218088 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_RECV_IP_218088 15s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 #counts SARE_RECV_IP_218088 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_IP_218088 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_218088 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_218088 25s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_218216 Passed through possible spammer relay or source score SARE_RECV_IP_218216 0.629 #ham SARE_RECV_IP_218216 confirmed (2) #hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004 #counts SARE_RECV_IP_218216 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_218216 31s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_RECV_IP_218216 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_RECV_IP_218216 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_218216 121s/22h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_218216 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_219128 Passed through possible spammer relay or source score SARE_RECV_IP_219128 1.666 #hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004 #counts SARE_RECV_IP_219128 381s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_219128 114s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_219128 79s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_219128 52s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_RECV_IP_219128 36s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_219128 116s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_220116 Passed through possible spammer relay or source score SARE_RECV_IP_220116 1.666 #ham SARE_RECV_IP_220116 confirmed (1) #hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004 #note SARE_RECV_IP_220116 Korea Telecom #counts SARE_RECV_IP_220116 180s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_220116 192s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_220116 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_RECV_IP_220116 23s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_RECV_IP_220116 206s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_220116 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_221124 Spam passed through possible spammer relay score SARE_RECV_IP_221124 1.666 #hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004 #counts SARE_RECV_IP_221124 91s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_221124 88s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 #counts SARE_RECV_IP_221124 4s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_IP_221124 15s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_221124 56s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_221124 119s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_222000 Passed through possible spammer relay or source score SARE_RECV_IP_222000 1.508 #ham SARE_RECV_IP_222000 confirmed (1) #hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004 #counts SARE_RECV_IP_222000 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_RECV_IP_222000 80s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_RECV_IP_222000 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 #counts SARE_RECV_IP_222000 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_IP_222000 133s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_222000 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/ describe SARE_RECV_IP_222064 Spam passed through possible spammer relay score SARE_RECV_IP_222064 1.666 #ham SARE_RECV_IP_222064 verified (1) #hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004 #counts SARE_RECV_IP_222064 115s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #counts SARE_RECV_IP_222064 54s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 #counts SARE_RECV_IP_222064 189s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 #max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_RECV_IP_222064 17s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_RECV_IP_222064 352s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_RECV_IP_222064 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 ##################################################################################### # SARE Reply-To Rules ######## ###################### ################################################## ##################################################################################### # SARE To/Cc Destination rules ######## ###################### ################################################## header SARE_TO_EMPTY To =~ /<>/ describe SARE_TO_EMPTY To address is set to empty #core SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER #hist SARE_TO_EMPTY Originally submitted by Bob Menschel #overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128 #counts SARE_TO_EMPTY 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 #counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05 ##################################################################################### # SARE X-Mailer Rules ######## ###################### ################################################## header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/ describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer score SARE_XMAIL_PSSMAILER 1.111 #stype SARE_XMAIL_PSSMAILER spamp #hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer #counts SARE_XMAIL_PSSMAILER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 #counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 #counts SARE_XMAIL_PSSMAILER 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/ describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers score SARE_XMAIL_RLSP 0.740 #ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2) #hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004 #counts SARE_XMAIL_RLSP 26s/4h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_XMAIL_RLSP 52s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_XMAIL_RLSP 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_XMAIL_RLSP 68s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_XMAIL_RLSP 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 ##################################################################################### # SARE Miscellaneous and X-Header header rules ######## ###################### ################################################## header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/ score SARE_HEAD_DATE14 0.847 #counts SARE_HEAD_DATE14 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 #counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_HEAD_DATE14 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_DATE14 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_DATE14 2s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 header SARE_HEAD_DATE46 Date =~ /^.{46}$/ describe SARE_HEAD_DATE46 Date header suggests this is spam score SARE_HEAD_DATE46 1.666 #ham SARE_HEAD_DATE46 Confirmed (1) #counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_DATE46 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_DATE46 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header __MIME_VERSION exists:MIME-Version header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b' meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION describe SARE_HEAD_MIME_INVALID Invalid mime version score SARE_HEAD_MIME_INVALID 1.116 #ham SARE_HEAD_MIME_INVALID confirmed #hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2005, inspired by Alex Broens #counts SARE_HEAD_MIME_INVALID 433s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #counts SARE_HEAD_MIME_INVALID 7s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 #counts SARE_HEAD_MIME_INVALID 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 #counts SARE_HEAD_MIME_INVALID 0s/5h of 15713 corpus (7767s/7946h FT) 05/14/06 #counts SARE_HEAD_MIME_INVALID 172s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header score SARE_HEAD_ORG_PREFIXW 0.617 #hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 #max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/ describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam score SARE_HEAD_XLIB_INDY1 0.844 #hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy #counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 #max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 #counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/ describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam score SARE_HEAD_XLIB_INDY2 1.272 #ham SARE_HEAD_XLIB_INDY2 verified (1) #hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004 #counts SARE_HEAD_XLIB_INDY2 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05 #counts SARE_HEAD_XLIB_INDY2 91s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_HEAD_XLIB_INDY2 30s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i describe SARE_HEAD_XUNSENT Found spamsign header score SARE_HEAD_XUNSENT 1.666 #hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005 #counts SARE_HEAD_XUNSENT 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_XUNSENT 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 #counts SARE_HEAD_XUNSENT 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #max SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_HEAD_XUNSENT 126s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_HEAD_XUNSENT 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #max SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 #counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05 #counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 ##################################################################################### # SARE Rules which examine multiple header types ######## ###################### ################################################## header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/ describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header score SARE_HEAD_8BIT_DATE 1.666 #hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243 #ham SARE_HEAD_8BIT_DATE verified (1) #counts SARE_HEAD_8BIT_DATE 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_8BIT_DATE 116s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 #counts SARE_HEAD_8BIT_DATE 71s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 #counts SARE_HEAD_8BIT_DATE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_HEAD_8BIT_DATE 65s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i describe SARE_MULT_VIA_CITIZNET header references apparent spam source score SARE_MULT_VIA_CITIZNET 1.394 #ham SARE_MULT_VIA_CITIZNET confirmed (2) #hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004 #counts SARE_MULT_VIA_CITIZNET 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_MULT_VIA_CITIZNET 60s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 #counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 #counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_MULT_VIA_CITIZNET 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 #counts SARE_MULT_VIA_CITIZNET 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 #counts SARE_MULT_VIA_CITIZNET 13s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 # EOF