# SARE Header Abuse Ruleset for SpamAssassin -- file 2 # Version: 01.03.21 # Created: 2004-04-25 # Modified: 2006-05-21 # Usage instructions and documentation in 70_sare_header0.cf # Full Revision History / Change Log in 70_sare_header.log #@@# 01.03.20 May 20 2005 #@@# Minor score updates based on additional mass-check #@@# Modified "rule has been moved" meta flags #@@# Moved file 0 to file 2 SARE_BOUNDARY_02 #@@# Moved file 0 to file 2 SARE_BOUNDARY_ANYDIG #@@# Moved file 0 to file 2 SARE_BOUNDARY_D11 #@@# Moved file 0 to file 2 SARE_FROM_SPAM_NAME2 #@@# Moved file 0 to file 2 SARE_FROM_WSJ #@@# Moved file 0 to file 2 SARE_HEAD_BDY_BOUNCES %%% OR ARCHIVE #@@# Moved file 0 to file 2 SARE_HEAD_HDR_CONVER #@@# Moved file 0 to file 2 SARE_HEAD_HDR_NLETRID #@@# Moved file 0 to file 2 SARE_HEAD_HDR_PID #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XBNCETR #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XGMAILA #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XIDSRVR #@@# Moved file 0 to file 2 SARE_HEAD_THRD_ALNUM #@@# Moved file 0 to file 2 SARE_HEAD_XM4 #@@# Moved file 0 to file 2 SARE_HEAD_XMF_AUTHSNDR #@@# Moved file 0 to file 2 SARE_HELO_MAILUSER #@@# Moved file 0 to file 2 SARE_MSGID_HEX30 #@@# Moved file 0 to file 2 SARE_MULT_SEXCLUB #@@# Moved file 0 to file 2 SARE_MULT_SUBJ #@@# Moved file 0 to file 2 SARE_RECV_IP_004078 #@@# Moved file 0 to file 2 SARE_RECV_IP_038112147 #@@# Moved file 0 to file 2 SARE_RECV_IP_064192082 #@@# Moved file 0 to file 2 SARE_RECV_IP_066063 #@@# Moved file 0 to file 2 SARE_RECV_IP_066114a #@@# Moved file 0 to file 2 SARE_RECV_IP_066159017 #@@# Moved file 0 to file 2 SARE_RECV_IP_069060122 #@@# Moved file 0 to file 2 SARE_RECV_IP_070096177 #@@# Moved file 0 to file 2 SARE_RECV_IP_207182 #@@# Moved file 0 to file 2 SARE_RECV_IP_208048182 #@@# Moved file 0 to file 2 SARE_RECV_IP_216055133 #@@# Moved file 0 to file 2 SARE_RECV_LOCALHOST #@@# Moved file 0 to file 2 SARE_RECV_SUSP_2 #@@# Moved file 0 to file 2 SARE_RECV_TRADVALUES #@@# Moved file 0 to file 2 SARE_RECV_VIPLIST #@@# Moved file 0 to file 2 SARE_RECV_XACTRIX #@@# Moved file 0 to file 2 SARE_REPLY_XACTRIX #@@# Moved file 0 to file 2 SARE_XMAIL_DIRUNIV #@@# Moved file 0 to file 2 SARE_XMAIL_INTERMED #@@# Moved file 0 to file 2 SARE_XMAIL_LEO #@@# Moved file 0 to file 2 SARE_XMAIL_PHPBulkEmai #@@# Moved file 0 to file 3 SARE_RECV_ADDR5 #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI #@@# Moved file 1 to file 2 SARE_RECV_IP_062023 #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157 #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154 #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152 #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE #@@# Moved file 1 to file 2 SARE_XMAIL_GDI #@@# Moved file 2 to file 0 SARE_HEAD_HDR_CONVWLS #@@# Moved file 2 to file 0 SARE_HEAD_SUBJ_RAND #@@# Moved file 2 to file 0 SARE_HEAD_XORIP_IP #@@# Moved file 2 to file 3 SARE_MULT_RATW_03 #@@# Returned file 2 to file 0 SARE_HEAD_HDR_EPATH #@@# Returned file 2 to file 0 SARE_RECV_IP_063111025 #@@# Returned file 2 to file 1 SARE_RECV_IP_142046 #@@# 01.03.21 May 21 2005 #@@# Minor repairs to "downgraded rule" metas. ######## ###################### ################################################## # Meta rules used to prevent --lint errors after moving/changing rules ######## ###################### ################################################## meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM meta SARE_MULT_RATW_03 __SARE_HEAD_FALSE ######## ###################### ################################################## # Component rules used within meta rules ######## ###################### ################################################## header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ ##################################################################################### # SARE Header-Exists rules ######## ###################### ################################################## header SARE_HEAD_HDR_CONVER exists:Conversion describe SARE_HEAD_HDR_CONVER Message headers used which identify spam score SARE_HEAD_HDR_CONVER 1.111 #stype SARE_HEAD_HDR_CONVER spamp #counts SARE_HEAD_HDR_CONVER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_CONVER 54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 #counts SARE_HEAD_HDR_CONVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_CONVER 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_HEAD_HDR_CONVER 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_CONVER 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 #max SARE_HEAD_HDR_CONVER 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_HEAD_HDR_CONVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 #counts SARE_HEAD_HDR_CONVER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 header SARE_HEAD_HDR_JLH exists:X-JLH describe SARE_HEAD_HDR_JLH Message headers used which identify spam score SARE_HEAD_HDR_JLH 1.111 #stype SARE_HEAD_HDR_JLH spamp #counts SARE_HEAD_HDR_JLH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 #max SARE_HEAD_HDR_JLH 71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #counts SARE_HEAD_HDR_JLH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_JLH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_JLH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 #counts SARE_HEAD_HDR_JLH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 header SARE_HEAD_HDR_MSGTYPE exists:Message-Type describe SARE_HEAD_HDR_MSGTYPE Message headers used which identify spam score SARE_HEAD_HDR_MSGTYPE 0.555 #stype SARE_HEAD_HDR_MSGTYPE spamp #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_MSGTYPE 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_NLETRID exists:Newsletter-ID describe SARE_HEAD_HDR_NLETRID Message headers used which identify spam score SARE_HEAD_HDR_NLETRID 1.666 #stype SARE_HEAD_HDR_NLETRID spamp #counts SARE_HEAD_HDR_NLETRID 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 #max SARE_HEAD_HDR_NLETRID 173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #max SARE_HEAD_HDR_NLETRID 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_HEAD_HDR_NLETRID 28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #max SARE_HEAD_HDR_NLETRID 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_PID exists:PID describe SARE_HEAD_HDR_PID Message headers used which identify spam score SARE_HEAD_HDR_PID 1.666 #stype SARE_HEAD_HDR_PID spamp #counts SARE_HEAD_HDR_PID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_PID 139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #counts SARE_HEAD_HDR_PID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_PID 36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_HDR_PID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #max SARE_HEAD_HDR_PID 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 #counts SARE_HEAD_HDR_PID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_REDIRTO exists:Redirect-to describe SARE_HEAD_HDR_REDIRTO Message headers used which identify spam score SARE_HEAD_HDR_REDIRTO 0.555 #stype SARE_HEAD_HDR_REDIRTO spamp #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_REDIRTO 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_ROT exists:Rot describe SARE_HEAD_HDR_ROT Message headers used which identify spam score SARE_HEAD_HDR_ROT 0.555 #stype SARE_HEAD_HDR_ROT spamp #counts SARE_HEAD_HDR_ROT 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_ROT 3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 #counts SARE_HEAD_HDR_ROT 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_ROT 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_ROT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_ROT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_RTNPATH exists:List-Return-Path describe SARE_HEAD_HDR_RTNPATH Message headers used which identify spam score SARE_HEAD_HDR_RTNPATH 1.111 #stype SARE_HEAD_HDR_RTNPATH spamp #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 #max SARE_HEAD_HDR_RTNPATH 32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_WCMSGID exists:WcMessage-ID describe SARE_HEAD_HDR_WCMSGID Message headers used which identify spam score SARE_HEAD_HDR_WCMSGID 0.555 #stype SARE_HEAD_HDR_WCMSGID spamp #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_WCMSGID 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_X400MTI exists:X400-MTS-Identifier describe SARE_HEAD_HDR_X400MTI Message headers used which identify spam score SARE_HEAD_HDR_X400MTI 0.555 #stype SARE_HEAD_HDR_X400MTI spamp #counts SARE_HEAD_HDR_X400MTI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_X400MTI 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_X400RCV exists:X400-Received describe SARE_HEAD_HDR_X400RCV Message headers used which identify spam score SARE_HEAD_HDR_X400RCV 0.555 #stype SARE_HEAD_HDR_X400RCV spamp #counts SARE_HEAD_HDR_X400RCV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_X400RCV 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XAR exists:X-AR describe SARE_HEAD_HDR_XAR Message headers used which identify spam score SARE_HEAD_HDR_XAR 0.555 #stype SARE_HEAD_HDR_XAR spamp #counts SARE_HEAD_HDR_XAR 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 #max SARE_HEAD_HDR_XAR 2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04 #counts SARE_HEAD_HDR_XAR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XAR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XAR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XAR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XAUTGEN exists:X-Auto-Generated describe SARE_HEAD_HDR_XAUTGEN Message headers used which identify spam score SARE_HEAD_HDR_XAUTGEN 0.555 #stype SARE_HEAD_HDR_XAUTGEN spamp #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_XAUTGEN 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XBNCETR exists:X-BounceTrace describe SARE_HEAD_HDR_XBNCETR Message headers used which identify spam score SARE_HEAD_HDR_XBNCETR 1.111 #stype SARE_HEAD_HDR_XBNCETR spamp #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XBNCETR 96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XCNDINF exists:X-CND-Info describe SARE_HEAD_HDR_XCNDINF Message headers used which identify spam score SARE_HEAD_HDR_XCNDINF 0.555 #stype SARE_HEAD_HDR_XCNDINF spamp #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XCNDINF 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XCROSS exists:X-cross describe SARE_HEAD_HDR_XCROSS Message headers used which identify spam score SARE_HEAD_HDR_XCROSS 0.100 #stype SARE_HEAD_HDR_XCROSS spamp #counts SARE_HEAD_HDR_XCROSS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XEMGBMS exists:X-EMailGateBouncedMessage describe SARE_HEAD_HDR_XEMGBMS Message headers used which identify spam score SARE_HEAD_HDR_XEMGBMS 0.555 #stype SARE_HEAD_HDR_XEMGBMS spamp #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 #max SARE_HEAD_HDR_XEMGBMS 6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XGMAILA exists:X-Gmail-Account describe SARE_HEAD_HDR_XGMAILA Message headers used which identify spam score SARE_HEAD_HDR_XGMAILA 1.111 #stype SARE_HEAD_HDR_XGMAILA spamp #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XGMAILA 20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XIDSRVR exists:X-Identity-Server describe SARE_HEAD_HDR_XIDSRVR Message headers used which identify spam score SARE_HEAD_HDR_XIDSRVR 1.111 #stype SARE_HEAD_HDR_XIDSRVR spamp #hist SARE_HEAD_HDR_XIDSRVR Bob Menschel, June 3 2005, idea by Alex Broens #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XIDSRVR 15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 header SARE_HEAD_HDR_XLC exists:X-L-C describe SARE_HEAD_HDR_XLC Message headers used which identify spam score SARE_HEAD_HDR_XLC 0.100 #stype SARE_HEAD_HDR_XLC spamp #counts SARE_HEAD_HDR_XLC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XLC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XLC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XLC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XLC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XLIDCOD exists:X-LIDCode describe SARE_HEAD_HDR_XLIDCOD Message headers used which identify spam score SARE_HEAD_HDR_XLIDCOD 0.100 #stype SARE_HEAD_HDR_XLIDCOD spamp #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMISCID exists:X-Misc_ID describe SARE_HEAD_HDR_XMISCID Message headers used which identify spam score SARE_HEAD_HDR_XMISCID 0.100 #stype SARE_HEAD_HDR_XMISCID spamp #hist SARE_HEAD_HDR_XMISCID FH_XMISCID #counts SARE_HEAD_HDR_XMISCID 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMLCIPH exists:X-mlcipher describe SARE_HEAD_HDR_XMLCIPH Message headers used which identify spam score SARE_HEAD_HDR_XMLCIPH 0.100 #stype SARE_HEAD_HDR_XMLCIPH spamp #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMLMSGI exists:X-mlmsgid describe SARE_HEAD_HDR_XMLMSGI Message headers used which identify spam score SARE_HEAD_HDR_XMLMSGI 0.100 #stype SARE_HEAD_HDR_XMLMSGI spamp #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMAGDID exists:X-magdalene-ID describe SARE_HEAD_HDR_XMAGDID Message headers used which identify spam score SARE_HEAD_HDR_XMAGDID 0.555 #stype SARE_HEAD_HDR_XMAGDID spamp #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 #max SARE_HEAD_HDR_XMAGDID 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMPM exists:X-mpm describe SARE_HEAD_HDR_XMPM Message headers used which identify spam score SARE_HEAD_HDR_XMPM 0.100 #stype SARE_HEAD_HDR_XMPM spamp #counts SARE_HEAD_HDR_XMPM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XMPM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMPM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMPM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMPM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XMS exists:X-ms describe SARE_HEAD_HDR_XMS Message headers used which identify spam score SARE_HEAD_HDR_XMS 0.100 #stype SARE_HEAD_HDR_XMS spamp #counts SARE_HEAD_HDR_XMS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XNOSPAM exists:X-No-Spam describe SARE_HEAD_HDR_XNOSPAM Message headers used which identify spam score SARE_HEAD_HDR_XNOSPAM 1.111 #stype SARE_HEAD_HDR_XNOSPAM spamp #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 #max SARE_HEAD_HDR_XNOSPAM 12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_HEAD_HDR_XNOSPAM 4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XNTC exists:X-ntc describe SARE_HEAD_HDR_XNTC Message headers used which identify spam score SARE_HEAD_HDR_XNTC 0.100 #stype SARE_HEAD_HDR_XNTC spamp #counts SARE_HEAD_HDR_XNTC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XNTC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XNTC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XNTC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XNTC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPOPB4S exists:X-Pop-Before-SMTP-Sender describe SARE_HEAD_HDR_XPOPB4S Message headers used which identify spam score SARE_HEAD_HDR_XPOPB4S 0.555 #stype SARE_HEAD_HDR_XPOPB4S spamp #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #max SARE_HEAD_HDR_XPOPB4S 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPOPFLK exists:X-POPFile-Link describe SARE_HEAD_HDR_XPOPFLK Message headers used which identify spam score SARE_HEAD_HDR_XPOPFLK 0.555 #stype SARE_HEAD_HDR_XPOPFLK spamp #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 #max SARE_HEAD_HDR_XPOPFLK 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPRIOMS exists:X-Prioserve-MailScanner describe SARE_HEAD_HDR_XPRIOMS Message headers used which identify spam score SARE_HEAD_HDR_XPRIOMS 0.555 #stype SARE_HEAD_HDR_XPRIOMS spamp #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_XPRIOMS 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPRIOMF exists:X-Prioserve-MailScanner-From describe SARE_HEAD_HDR_XPRIOMF Message headers used which identify spam score SARE_HEAD_HDR_XPRIOMF 0.555 #stype SARE_HEAD_HDR_XPRIOMF spamp #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_XPRIOMF 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPRIOMI exists:X-Prioserve-MailScanner-Information describe SARE_HEAD_HDR_XPRIOMI Message headers used which identify spam score SARE_HEAD_HDR_XPRIOMI 0.555 #stype SARE_HEAD_HDR_XPRIOMI spamp #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_XPRIOMI 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XPIROMC exists:X-Prioserve-MailScanner-SpamCheck describe SARE_HEAD_HDR_XPIROMC Message headers used which identify spam score SARE_HEAD_HDR_XPIROMC 0.555 #stype SARE_HEAD_HDR_XPIROMC spamp #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #max SARE_HEAD_HDR_XPIROMC 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XRBLTST exists:X-RBL-TST describe SARE_HEAD_HDR_XRBLTST Message headers used which identify spam score SARE_HEAD_HDR_XRBLTST 0.555 #stype SARE_HEAD_HDR_XRBLTST spamp #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 #max SARE_HEAD_HDR_XRBLTST 2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XREC exists:X-Rec describe SARE_HEAD_HDR_XREC Message headers used which identify spam score SARE_HEAD_HDR_XREC 2.222 #stype SARE_HEAD_HDR_XREC spamp #counts SARE_HEAD_HDR_XREC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XREC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XREC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XRIPE exists:X-RIPE describe SARE_HEAD_HDR_XRIPE Message headers used which identify spam score SARE_HEAD_HDR_XRIPE 1.111 #stype SARE_HEAD_HDR_XRIPE spamp #counts SARE_HEAD_HDR_XRIPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XRIPE 16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XSAFMMI exists:X-SafeMailer-MsgId describe SARE_HEAD_HDR_XSAFMMI Message headers used which identify spam score SARE_HEAD_HDR_XSAFMMI 0.555 #stype SARE_HEAD_HDR_XSAFMMI spamp #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HEAD_HDR_XSAFMMI 1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XSPAMSC exists:X-Spam-Score describe SARE_HEAD_HDR_XSPAMSC Message headers used which identify spam score SARE_HEAD_HDR_XSPAMSC 0.555 #stype SARE_HEAD_HDR_XSPAMSC spamp #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_HEAD_HDR_XSPAMSC 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XSRK exists:X-srk describe SARE_HEAD_HDR_XSRK Message headers used which identify spam score SARE_HEAD_HDR_XSRK 0.100 #stype SARE_HEAD_HDR_XSRK spamp #counts SARE_HEAD_HDR_XSRK 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XSRK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XSRK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XSRK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XSRK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XSUBID exists:X-SubID describe SARE_HEAD_HDR_XSUBID Message headers used which identify spam score SARE_HEAD_HDR_XSUBID 0.555 #stype SARE_HEAD_HDR_XSUBID spamp #counts SARE_HEAD_HDR_XSUBID 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 #max SARE_HEAD_HDR_XSUBID 3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XSUBID 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XTRANS exists:X-Trans describe SARE_HEAD_HDR_XTRANS Message headers used which identify spam score SARE_HEAD_HDR_XTRANS 0.100 #stype SARE_HEAD_HDR_XTRANS spamp #counts SARE_HEAD_HDR_XTRANS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XTXTCLS exists:X-Text-Classification describe SARE_HEAD_HDR_XTXTCLS Message headers used which identify spam score SARE_HEAD_HDR_XTXTCLS 0.555 #stype SARE_HEAD_HDR_XTXTCLS spamp #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 #max SARE_HEAD_HDR_XTXTCLS 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XVIG exists:X-Vig describe SARE_HEAD_HDR_XVIG Message headers used which identify spam score SARE_HEAD_HDR_XVIG 0.100 #stype SARE_HEAD_HDR_XVIG spamp #counts SARE_HEAD_HDR_XVIG 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XVIG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XVIG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XVIG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XVIG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XYD exists:X-yd describe SARE_HEAD_HDR_XYD Message headers used which identify spam score SARE_HEAD_HDR_XYD 0.100 #stype SARE_HEAD_HDR_XYD spamp #counts SARE_HEAD_HDR_XYD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XYD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XYD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XYD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XYD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XI exists:X-I describe SARE_HEAD_HDR_XI Message headers used which identify spam score SARE_HEAD_HDR_XI 0.100 #stype SARE_HEAD_HDR_XI spamp #counts SARE_HEAD_HDR_XI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HEAD_HDR_XIM exists:X-IM describe SARE_HEAD_HDR_XIM Message headers used which identify spam score SARE_HEAD_HDR_XIM 0.100 #stype SARE_HEAD_HDR_XIM spamp #counts SARE_HEAD_HDR_XIM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_XIM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 #counts SARE_HEAD_HDR_XIM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_HEAD_HDR_XIM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HEAD_HDR_XIM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 ##################################################################################### # SARE Content-Type and Boundary rules ######## ###################### ################################################## header SARE_BOUNDARY_01 Content-Type =~ /boundary==?\".{0,}XXXX-/ describe SARE_BOUNDARY_01 Spam tool pattern in MIME boundary score SARE_BOUNDARY_01 0.100 #hist SARE_BOUNDARY_01 L.MIME_BOUND_SIMPLE #counts SARE_BOUNDARY_01 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_BOUNDARY_01 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_BOUNDARY_01 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_BOUNDARY_01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_02 Content-Type =~ /boundary\=('|\")?\~{10,}/ describe SARE_BOUNDARY_02 Too many ~'s in the boundary. score SARE_BOUNDARY_02 0.650 #hist SARE_BOUNDARY_02 MY_BOUNDARY2 #counts SARE_BOUNDARY_02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_02 51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 #counts SARE_BOUNDARY_02 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_BOUNDARY_02 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_BOUNDARY_02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_BOUNDARY_ANYDIG Content-Type =~ /boundary="--.*\[\d\]/i describe SARE_BOUNDARY_ANYDIG Content type boundary used in spam and viruses score SARE_BOUNDARY_ANYDIG 1.666 #hist SARE_BOUNDARY_ANYDIG Created by Bob Menschel May 7 2005, suggested by Alex Broens #counts SARE_BOUNDARY_ANYDIG 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_ANYDIG 282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 #counts SARE_BOUNDARY_ANYDIG 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 #max SARE_BOUNDARY_ANYDIG 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_BOUNDARY_ANYDIG 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 #max SARE_BOUNDARY_ANYDIG 85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 #counts SARE_BOUNDARY_ANYDIG 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 header SARE_BOUNDARY_D11 Content-Type =~ /boundary="\d{11}"/ describe SARE_BOUNDARY_D11 Content type boundary used in spam or virus score SARE_BOUNDARY_D11 1.666 #stype SARE_BOUNDARY_D11 spamp #hist SARE_BOUNDARY_D11 Created by Bob Menschel May 31 2004 #counts SARE_BOUNDARY_D11 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_BOUNDARY_D11 112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_BOUNDARY_D11 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #counts SARE_BOUNDARY_D11 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_BOUNDARY_D11 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 #max SARE_BOUNDARY_D11 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_BOUNDARY_D11 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 full SARE_CONTENT_BITBITNUM /\nContent-Encoding: BitBitNUM\n/ describe SARE_CONTENT_BITBITNUM Unlikely content encoding score SARE_CONTENT_BITBITNUM 1.406 #hist SARE_CONTENT_BITBITNUM Loren Wilton, Feb 1 2005 #counts SARE_CONTENT_BITBITNUM 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 #max SARE_CONTENT_BITBITNUM 153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05 #counts SARE_CONTENT_BITBITNUM 64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_CONTENT_BITBITNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_CONTENT_BITBITNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 ##################################################################################### # SARE From Rules ######## ###################### ################################################## header SARE_FROM_AMERICA From =~ /[^\-]\bamerica\.com\b/i describe SARE_FROM_AMERICA From user address is used by spammer score SARE_FROM_AMERICA 1.111 #stype SARE_FROM_AMERICA spamp #hist SARE_FROM_AMERICA Created by Bob Menschel Sep 24 2004 #counts SARE_FROM_AMERICA 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 #max SARE_FROM_AMERICA 5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 #counts SARE_FROM_AMERICA 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_FROM_AMERICA 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #max SARE_FROM_AMERICA 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_FROM_AMERICA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FROM_AMERICA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_FROM_SPAM_DOMN2 From =~ /\@wses\.(?:com|org)/i describe SARE_FROM_SPAM_DOMN2 From address suggests this is spam score SARE_FROM_SPAM_DOMN2 0.100 #stype SARE_FROM_SPAM_DOMN2 spamp #hist SARE_FROM_SPAM_DOMN2 RM_fa_wses #counts SARE_FROM_SPAM_DOMN2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_FROM_SPAM_NAME2 From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|koldny|propecia|thedailyfreesamples)/i describe SARE_FROM_SPAM_NAME2 From address suggests this is spam score SARE_FROM_SPAM_NAME2 1.666 #stype SARE_FROM_SPAM_NAME2 spamp #hist SARE_FROM_SPAM_NAME2 COMBINED.FROM and other sources #counts SARE_FROM_SPAM_NAME2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_FROM_SPAM_NAME2 140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_FROM_SPAM_NAME2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_FROM_SPAM_NAME2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_FROM_SPAM_NAME2 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 #max SARE_FROM_SPAM_NAME2 16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_FROM_SPAM_NAME2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FROM_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_FROM_VIRUS1 ALL=~ /From:\ssupport\@microsoft.com/ describe SARE_FROM_VIRUS1 From address suggests this is a virus score SARE_FROM_VIRUS1 3.333 #stype SARE_FROM_VIRUS1 vbgg #counts SARE_FROM_VIRUS1 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 #max SARE_FROM_VIRUS1 21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 #counts SARE_FROM_VIRUS1 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_FROM_VIRUS1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FROM_VIRUS1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header __SARE_FROM_WSJ From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i meta SARE_FROM_WSJ __SARE_FROM_WSJ && __SARE_WHITELIST_FLAG && !USER_IN_WHITELIST score SARE_FROM_WSJ 1.666 #hist SARE_FROM_WSJ Matt Yackley, Apr 15 2005, expanded by Bob Menschel #hist SARE_FROM_WSJ Dec 24 2005: Added real WSJ whitelist entry to 70_sare_whitelist.cf; added whitelist flags to new meta to force this rule to NOT hit if this is actually the WSJ. #counts SARE_FROM_WSJ 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_FROM_WSJ 86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 #counts SARE_FROM_WSJ 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 #max SARE_FROM_WSJ 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 #counts SARE_FROM_WSJ 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 #max SARE_FROM_WSJ 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 #counts SARE_FROM_WSJ 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 #max SARE_FROM_WSJ 258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_FROM_WSJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 ##################################################################################### # SARE From Rules -- Emails coming from free webmail accounts # Since spam from these can vary depending upon country of origin, # country of destination, policies, and enforcement of policies, # most of these are kept as separate rules rather than combined. ######## ###################### ################################################## header SARE_FREE_WEBM_Iamfi From =~ /\biamfinallyonline\.com/i describe SARE_FREE_WEBM_Iamfi Sender used free email account - may be spammer score SARE_FREE_WEBM_Iamfi 0.555 #stype SARE_FREE_WEBM_Iamfi spamp #hist SARE_FREE_WEBM_Iamfi Created by Bob Menschel Apr 09 2004 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 #max SARE_FREE_WEBM_Iamfi 3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #max SARE_FREE_WEBM_Iamfi 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_FREE_WEBM_USACOPS From =~ /\@usacops\.com/i describe SARE_FREE_WEBM_USACOPS Maybe spammer with free email score SARE_FREE_WEBM_USACOPS 0.555 #stype SARE_FREE_WEBM_USACOPS spamp #hist SARE_FREE_WEBM_USACOPS Created by Bob Menschel Feb 24 2005 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 #max SARE_FREE_WEBM_USACOPS 2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 #counts SARE_FREE_WEBM_USACOPS 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 ##################################################################################### # SARE Message-ID rules ######## ###################### ################################################## header SARE_MSGID_06D6 MESSAGEID =~ /<0{6}\d{6}\$\d/ describe SARE_MSGID_06D6 Message-ID has ratware pattern (000009999$9) score SARE_MSGID_06D6 1.061 #counts SARE_MSGID_06D6 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 #max SARE_MSGID_06D6 91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04 #counts SARE_MSGID_06D6 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 #counts SARE_MSGID_06D6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_MSGID_06D6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_06D6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i meta SARE_MSGID_ALL_CAPHM __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS describe SARE_MSGID_ALL_CAPHM Ratware all-caps message-id score SARE_MSGID_ALL_CAPHM 1.666 #stype SARE_MSGID_ALL_CAPHM spamg #hist SARE_MSGID_ALL_CAPHM Created by Bob Menschel May 15 2004 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS #counts SARE_MSGID_ALL_CAPHM 0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04 #max SARE_MSGID_ALL_CAPHM 1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #max SARE_MSGID_ALL_CAPHM 1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i meta SARE_MSGID_ALL_CAPMS __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS describe SARE_MSGID_ALL_CAPMS Ratware all-caps message-id score SARE_MSGID_ALL_CAPMS 1.666 #hist SARE_MSGID_ALL_CAPMS Created by Bob Menschel May 15 2004 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS #counts SARE_MSGID_ALL_CAPMS 0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_MSGID_H7H4H4 MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/ describe SARE_MSGID_H7H4H4 Message-ID has ratware pattern (7hex$4hex$4hex@) score SARE_MSGID_H7H4H4 0.222 #counts SARE_MSGID_H7H4H4 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #max SARE_MSGID_H7H4H4 2s/0h of 115439 corpus (94250s/21189h) 04/30/04 #counts SARE_MSGID_H7H4H4 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #max SARE_MSGID_H7H4H4 2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 #counts SARE_MSGID_H7H4H4 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #counts SARE_MSGID_H7H4H4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_H7H4H4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_MSGID_HEX30 MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/ describe SARE_MSGID_HEX30 Message-ID has ratware pattern (HEXHEXHEX$9x9@) score SARE_MSGID_HEX30 1.666 #counts SARE_MSGID_HEX30 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_MSGID_HEX30 18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 #counts SARE_MSGID_HEX30 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 #max SARE_MSGID_HEX30 235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 #counts SARE_MSGID_HEX30 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 #max SARE_MSGID_HEX30 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 #counts SARE_MSGID_HEX30 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 #counts SARE_MSGID_HEX30 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 header SARE_MSGID_SPAM_DOMN0 MESSAGEID =~ /\bjeanvaljean\.com/i describe SARE_MSGID_SPAM_DOMN0 Message ID implies possible spammer relay score SARE_MSGID_SPAM_DOMN0 1.666 #stype SARE_MSGID_SPAM_DOMN0 spamg #hist SARE_MSGID_SPAM_DOMN0 Created by Bob Menschel Mar 22 2004 #hist SARE_MSGID_SPAM_DOMN0 Removed moosq.com, since now in specific.cf #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 #max SARE_MSGID_SPAM_DOMN0 1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header MSGID_SPAM_ALPHA_NUM MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/ header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/ header __SARE_MSGID_SUSP2 MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/ meta SARE_MSGID_SUSP2 __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM describe SARE_MSGID_SUSP2 Message-Id is score SARE_MSGID_SUSP2 3.000 #hist SARE_MSGID_SUSP2 Loren Wilton, LW_BOGUS_MSGID6 #hist SARE_MSGID_SUSP2 Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude #V300 SARE_MSGID_SUSP2 strong overlap with MSGID_SPAM_ALPHA_NUM #counts SARE_MSGID_SUSP2 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 #alone SARE_MSGID_SUSP2 174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 #max SARE_MSGID_SUSP2 9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 #counts SARE_MSGID_SUSP2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 #max SARE_MSGID_SUSP2 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #counts SARE_MSGID_SUSP2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 #max SARE_MSGID_SUSP2 187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_MSGID_SUSP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_MSGID_SUSP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 ##################################################################################### # SARE Received Header Rules ######## ###################### ################################################## header SARE_HELO_AOLID Received =~ /helo=aol\.com ident=/ describe SARE_HELO_AOLID Spam passed through apparent spammer relay score SARE_HELO_AOLID 0.611 #counts SARE_HELO_AOLID 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #max SARE_HELO_AOLID 10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 #counts SARE_HELO_AOLID 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_HELO_AOLID 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_HELO_AOLID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HELO_AOLID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_HELO_MAILUSER Received =~ /helo=MailUser\)/i describe SARE_HELO_MAILUSER Received header has possible spamsign score SARE_HELO_MAILUSER 1.111 #stype SARE_HELO_MAILUSER spamp #hist SARE_HELO_MAILUSER Created by Bob Menschel May 31 2004 #counts SARE_HELO_MAILUSER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_HELO_MAILUSER 12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 #counts SARE_HELO_MAILUSER 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_HELO_MAILUSER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_HELO_MAILUSER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_HELO_MAILUSER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_ADDR2 Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/ describe SARE_RECV_ADDR2 Received header missing a FQDN, IP only. score SARE_RECV_ADDR2 0.100 #counts SARE_RECV_ADDR2 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_RECV_ADDR2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_RECV_ADDR2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_ADDR2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_ADDR3 Received =~ /^from \(.?\[.?\].?\)\b/ describe SARE_RECV_ADDR3 Received header contains an empty Recieved IP. score SARE_RECV_ADDR3 0.100 #counts SARE_RECV_ADDR3 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_RECV_ADDR3 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_RECV_ADDR3 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_ADDR3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_ADDR4 Received =~ /^from unknown \(\w+ \w+\)\b/ describe SARE_RECV_ADDR4 Received contains unknown FQDN with possible HELO. score SARE_RECV_ADDR4 0.100 #counts SARE_RECV_ADDR4 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_RECV_ADDR4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_RECV_ADDR4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_ADDR4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header __SARE_RECV_CHAR_DASHS Received =~ /---/ header __SARE_RECV_CHAR_DOTS Received =~ /\.\./ meta SARE_RECV_CHAR_DSHDT __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS describe SARE_RECV_CHAR_DSHDT Strange dashes and dots in received line score SARE_RECV_CHAR_DSHDT 0.500 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 #max SARE_RECV_CHAR_DSHDT 7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 #max SARE_RECV_CHAR_DSHDT 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_ESMTP Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; / describe SARE_RECV_ESMTP Received header has forged lowercase 'esmtp' relay score SARE_RECV_ESMTP 0.100 #counts SARE_RECV_ESMTP 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 #counts SARE_RECV_ESMTP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 #counts SARE_RECV_ESMTP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 #counts SARE_RECV_ESMTP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 header SARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i describe SARE_RECV_LOCALHOST fingerprint score SARE_RECV_LOCALHOST 1.111 #stype SARE_RECV_LOCALHOST spamp #hist SARE_RECV_LOCALHOST Alex Broens, June 2005 #counts SARE_RECV_LOCALHOST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 #max SARE_RECV_LOCALHOST 77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 #counts SARE_RECV_LOCALHOST 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_RECV_LOCALHOST 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 header SARE_RECV_RANDOM Received =~ /helo[ =].{1,30}