From: Martin Zobel-Helas Date: Sun, 7 Oct 2007 19:03:33 +0000 (+0000) Subject: * adding SARE rules X-Git-Url: https://git.donarmstrong.com/?p=spamassassin_config.git;a=commitdiff_plain;h=a7a2b519ff8c4e7fb7e3c9f06f5601a54c4fdc07;hp=48b35e28c6e843444c424837f96112f3c1f4e229 * adding SARE rules * modify list/user_prefs to represent changes regarding sare git-svn-id: svn+ssh://svn.debian.org/svn/pkg-listmaster/trunk/spamassassin_config@54 0b7a5b0c-1f2c-0410-bd74-c376f8064c91 --- diff --git a/common/sare/70_sare_adult.cf b/common/sare/70_sare_adult.cf new file mode 100644 index 0000000..9f2d90e --- /dev/null +++ b/common/sare/70_sare_adult.cf @@ -0,0 +1,913 @@ +# SARE "Adult" Ruleset for SpamAssassin +# Version: 01.02.08 # The Adult set has been renamed to match SARE's updated standards, the new name is 70_sare_adult.cf +# Created: 2004-03-23 +# Modified: 2007-05-21 +# Changes: Fixed broken meta +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Matt Yackley - adult@rulesemporium.com +# Maintainer: Doc Schneider - maddoc@maddoc.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_adult.cf +# +#### + + +############################### +# subject rules # +############################### + + +header SARE_SUBJ_SLUT Subject =~ /\bslut\b/i +score SARE_SUBJ_SLUT 1.66 +#counts SARE_SUBJ_SLUT 89s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SUBJ_SLUT 5s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header __FPS_BREAST Subject =~ /\bbreasts?\b/i +header __FPS_COCK Subject =~ /\bcock\b/i +header __FPS_FUCK Subject =~ /\bfuck/i +header __FPS_GIRLS Subject =~ /\bgirls\b/i +header __FPS_HARDCORE Subject =~ /\bhard.?core\b/i +header __FPS_LITTLE Subject =~ /\blittle\b/i +header __FPS_MODEL Subject =~ /\bmodels?\b/i +header __FPS_NAKED Subject =~ /\bnaked\b/i +header __FPS_PENETRAT Subject =~ /\bpenetration\b/i +header __FPS_SEX Subject =~ /\bsex\b/i +header __FPS_SLUT Subject =~ /\bslut\b/i +header __FPS_TEEN Subject =~ /\bteen\b/i +header __FPS_VIRGIN Subject =~ /\bvirgins?\b/i +meta __COUNT_FPORN2 (__FPS_BREAST + __FPS_COCK + __FPS_FUCK + __FPS_GIRLS + __FPS_HARDCORE + __FPS_LITTLE + __FPS_MODEL + __FPS_NAKED + __FPS_PENETRAT + __FPS_SEX + __FPS_SLUT + __FPS_TEEN + __FPS_VIRGIN) > 1 +meta __COUNT_FPORN3 (__FPS_BREAST + __FPS_COCK + __FPS_FUCK + __FPS_GIRLS + __FPS_HARDCORE + __FPS_LITTLE + __FPS_MODEL + __FPS_NAKED + __FPS_PENETRAT + __FPS_SEX + __FPS_SLUT + __FPS_TEEN + __FPS_VIRGIN) > 2 +meta __COUNT_FPORN4 (__FPS_BREAST + __FPS_COCK + __FPS_FUCK + __FPS_GIRLS + __FPS_HARDCORE + __FPS_LITTLE + __FPS_MODEL + __FPS_NAKED + __FPS_PENETRAT + __FPS_SEX + __FPS_SLUT + __FPS_TEEN + __FPS_VIRGIN) > 3 + + +meta SARE_SUB_MULTI_PRN2 (__COUNT_FPORN2 && !__COUNT_FPORN3) +score SARE_SUB_MULTI_PRN2 1.66 +#counts SARE_SUB_MULTI_PRN2 455s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SUB_MULTI_PRN2 93s/5h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +meta SARE_SUB_MULTI_PRN3 (__COUNT_FPORN3 && !__COUNT_FPORN4) +score SARE_SUB_MULTI_PRN3 1.66 +#counts SARE_SUB_MULTI_PRN3 93s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SUB_MULTI_PRN3 9s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#meta SARE_SUB_MULTI_PRN4 (__COUNT_FPORN4) +#score SARE_SUB_MULTI_PRN4 3.333 +#counts SARE_SUB_MULTI_PRN4 4s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SUB_MULTI_PRN4 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + + + + + +header SARE_ADLTSUB1 Subject =~ /\b(?:adu?1t|amb[1!]en|b0y|bl0w|c0cks?|c0re|ejaculation|f?r0+m|g(?:[1!]r[1l]|ir[!1])|h0t|ntercourse|jerk off|l1ttle|m0vie|manh00d|[0o]rg\@sm|p1ct|pen[1!]s|(?:ph|f)(?:[0\@]t|ot[0\@])|secks|sm00th|t1ny|t1ts|v(?:irg1|1rgi|1rg1)n|v[i1]de0|violenced|y0ung)/i +describe SARE_ADLTSUB1 Contains OBFU and "strong" adult words +score SARE_ADLTSUB1 1.66 +# Combined from M_K_PORN_BOGOSITY_SUBJ, L_s_porn, SUBJECT_XXX, RM_swp_porn4, RM_swp_porn5 +# 266s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 45s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB1 503s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB1 145s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB2 Subject =~ /\b(?:blow|climax|enlarg(e|ment)|fuck|inter+acial|lick|porn|penis|pervert|pussy|tits|tight|vagina|virgins?)\b/i +describe SARE_ADLTSUB2 Contains possible adult words +score SARE_ADLTSUB2 1.23 +# Combined from SUBJECT_XXX_2, L_s_porn, RM_swp_pervert, RM_swp_porn1, RM_swp_porn2 +# 519s/1h of 119325 corpus (98981s/20344h) 03/21/04 +# 58s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB2 1967s/2h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB2 514s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB3 Subject =~ /(?!\bporn)(?:\bp|\B(?:[\xDE]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)/i +describe SARE_ADLTSUB3 Apparent spam seems to contain porn subject +score SARE_ADLTSUB3 1.66 # type=obfu +# Original name: RM_swp_porn1o1 +# 58s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 11s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB3 11s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB3 15s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB4 Subject =~ /(?!\bpo(?:rn|ur))\bp.?o.?r.?n/i +describe SARE_ADLTSUB4 Apparent spam seems to contain porn subject +score SARE_ADLTSUB4 0.89 # type=obfu +# Original name: RM_swp_porn1o2 +# 26s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 3s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB4 5s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB4 5s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB5 Subject =~ /(?!\bfuck)(?:\bf|\B(?:\xC5\xBF|\xC6\x92|\xD2[\x92-\x93]))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[uv\*\xB5\xD9-\xDC\xF9-\xFC]|\xC5[\xA8-\xB3]|\xC6[\xAF-\xB0]|\xC7[\x93-\x9C]|\xCE\xB0|\xCE\xBC|\xCF\x8B|\xCF\x8D|\xD4\xB1|\xD5\x84|\xD5\x8D)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|\xC4[\x86-\x8D]|\xD0\xA1|\xD1\x81)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:k|\xC4[\xB6-\xB8]|\xCE\x9A|\xCE\xBA|\xD0\x8C|\xD0\x9A|\xD0\xBA|\xD1\x9C|\xD2[\x9A-\x9D]])/i +describe SARE_ADLTSUB5 Apparent spam seems to contain porn subject +score SARE_ADLTSUB5 1.66 # type=obfu +# Original name: RM_swp_porn2o1 +# 8s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 4s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB5 12s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB5 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB6 Subject =~ /(?!\bfuck)\bf.?u.?c.?k/i +describe SARE_ADLTSUB6 Apparent spam seems to contain porn subject +score SARE_ADLTSUB6 1.51 # type=obfu +# Original name: RM_swp_porn2o2 +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 5s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB6 32s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB6 13s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB7 Subject =~ /(?!\bpuss(?:y|ies)\b)(?:\bp|\B(?:[\xDE]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[uv\*\xB5\xD9-\xDC\xF9-\xFC]|\xC5[\xA8-\xB3]|\xC6[\xAF-\xB0]|\xC7[\x93-\x9C]|\xCE\xB0|\xCE\xBC|\xCF\x8B|\xCF\x8D|\xD4\xB1|\xD5\x84|\xD5\x8D)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)(?:(?:[y\xA5\xDD\xFD]|\xC5[\xB6-\xB8]|\xCE\x8E|\xCE\xA5|\xCE\xA8|\xCE\xAB|\xCE\xB3|\xD0\xA3|\xD1\x83|\xD1\x9E|\xD2[\xAE-\xB1])|(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F))\b/i +describe SARE_ADLTSUB7 Apparent spam seems to contain porn subject +score SARE_ADLTSUB7 1.66 # type=obfu +# Original name: RM_swp_porn5o1 +# 4s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 2s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB7 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB7 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +header SARE_ADLTSUB8 Subject =~ /(?!\bpuss(?:y|ies)\b)\bp.?u.?s.?s.?(?:y|i.?e.?s)\b/i +describe SARE_ADLTSUB8 Apparent spam seems to contain porn subject +score SARE_ADLTSUB8 1.66 # type=obfu +# Original name: RM_swp_porn5o2 +# FPS SARE_ADLTSUB8="plus sizes" +# 7s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB8 6s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB8 6s/2h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#header SARE_ADLTSUB10 Subject =~ /(?!\b(?:rap(?:e[sd]?|ing|pel)|reaping)\b)\br.?a.?p.?(?:e.?[sd]?|i.?n.?g)\b/i +#describe SARE_ADLTSUB10 Apparent spam seems to contain porn subject +#score SARE_ADLTSUB10 2.500 # type=obfu +# Original name: RM_swp_Rapeo2 +# 20s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTSUB10 5s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTSUB10 6s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#header SARE_BEDROOMSEC Subject =~ /bedroom secret/i +#describe SARE_BEDROOMSEC Common spammer phrasing +#score SARE_BEDROOMSEC 0.611 +# Original name: RM_spp_BedroomSec +# 10s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_BEDROOMSEC 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BEDROOMSEC 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +############################### +# body rules # +############################### + + +body FB_SEXOHOL /sexoholics/i +score FB_SEXOHOL 1.66 +#counts FB_SEXOHOL 7s/0h of 32370 corpus (24496s/7874h ML) 12/12/05 +#counts FB_SEXOHOL 37s/0h of 40658 corpus (35364s/5294h MY) 12/12/05 +#counts FB_SEXOHOL 33s/0h of 207630 corpus (200121s/7509h FT) 12/13/05 +#counts FB_SEXOHOL 3s/0h of 9809 corpus (4905s/4904h FT) 12/12/05 +#counts FB_SEXOHOL 11s/0h of 11532 corpus (6163s/5369h CT) 12/12/05 +#counts FB_SEXOHOL 4s/0h of 70031 corpus (30720s/39311h DOC) 12/12/05 +#counts FB_SEXOHOL 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_SEXOHOL 18s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body FB_XUAL /\bxual\b/ +score FB_XUAL 0.68 +#counts FB_XUAL 20s/0h of 6871 corpus (5500s/1371h AxB) 12/15/05 +#counts FB_XUAL 67s/0h of 34342 corpus (25865s/8477h ML) 12/15/05 +#counts FB_XUAL 22s/0h of 40631 corpus (35338s/5293h MY) 12/15/05 +#counts FB_XUAL 62s/0h of 70858 corpus (31544s/39314h DOC) 12/15/05 +#counts FB_XUAL 855s/0h of 107818 corpus (99658s/8160h FVGT) 03/11/06 +#counts FB_XUAL 100s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_XUAL 360s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body FB_NOT_SEX / s[^afeiloprsuw]x\b/i +#score FB_NOT_SEX 1.003 +#counts FB_NOT_SEX 7s/7h of 37297 corpus (31824s/5473h MY) 02/07/06 +#counts FB_NOT_SEX 4s/4h of 6866 corpus (4638s/2228h AxB) 02/07/06 +#counts FB_NOT_SEX 4s/5h of 11694 corpus (6132s/5562h CT) 02/07/06 +#counts FB_NOT_SEX 204s/4h of 345244 corpus (337372s/7872h FT) 02/07/06 +#counts FB_NOT_SEX 110s/0h of 107818 corpus (99658s/8160h FVGT) 03/11/06 +#counts FB_NOT_SEX 23s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_NOT_SEX 108s/2h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body FB_GIRLS_DOLLAR /girl\$/i +#score FB_GIRLS_DOLLAR 1.992 +#counts FB_GIRLS_DOLLAR 0s/0h of 37297 corpus (31824s/5473h MY) 02/07/06 +#counts FB_GIRLS_DOLLAR 0s/0h of 6866 corpus (4638s/2228h AxB) 02/07/06 +#counts FB_GIRLS_DOLLAR 0s/0h of 11694 corpus (6132s/5562h CT) 02/07/06 +#counts FB_GIRLS_DOLLAR 36s/0h of 345244 corpus (337372s/7872h FT) 02/07/06 +#counts FB_GIRLS_DOLLAR 8s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_GIRLS_DOLLAR 2s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +# 1as$e$ +#body FB_DOLLAR_ASS2 /(?:\b|[0-9])(?!ass)a[s\$][s\$](?:\b|e)/i +#score FB_DOLLAR_ASS2 0.361 +#counts FB_DOLLAR_ASS2 2s/1h of 9374 corpus (7151s/2223h AxB) 03/01/06 +#counts FB_DOLLAR_ASS2 6s/0h of 12244 corpus (6572s/5672h CT) 03/01/06 +#counts FB_DOLLAR_ASS2 0s/2h of 27495 corpus (21848s/5647h MY) 03/01/06 +#counts FB_DOLLAR_ASS2 13s/0h of 34977 corpus (27086s/7891h FT) 03/01/06 +#counts FB_DOLLAR_ASS2 10s/2h of 84470 corpus (67306s/17164h ML) 03/01/06 +#counts FB_DOLLAR_ASS2 10s/1h of 103116 corpus (63731s/39385h DOC) 03/01/06 +#counts FB_DOLLAR_ASS2 58s/0h of 107818 corpus (99658s/8160h FVGT) 03/11/06 +#counts FB_DOLLAR_ASS2 21s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_DOLLAR_ASS2 13s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body FB_HARD_ERECTION /hard(?:er)? (?:erection|penis)/i +score FB_HARD_ERECTION 1.66 +#counts FB_HARD_ERECTION 2728s/0h of 211356 corpus (203977s/7379h FT) 11/23/05 +#counts FB_HARD_ERECTION 393s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_HARD_ERECTION 573s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body FB_JACKRABBIT /Jack Rabbit Vibrat[o0]r/i +#score FB_JACKRABBIT 3.599 +#counts FB_JACKRABBIT 640s/0h of 211356 corpus (203977s/7379h FT) 11/23/05 +#counts FB_JACKRABBIT 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_JACKRABBIT 47s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body FB_PENIS /\b(?!penis)p[3e]n[i1!][s5]\b/i +score FB_PENIS 1.66 +#counts FB_PENIS 170s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_PENIS 386s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body FB_FEMALE_EJACU /female ejaculation/i +score FB_FEMALE_EJACU 1.66 +#counts FB_FEMALE_EJACU 4s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_FEMALE_EJACU 1s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body FB_INNOCENT /innocent (?:boy|girl|child)/i +score FB_INNOCENT 0.40 +#counts FB_INNOCENT 14s/1h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FB_INNOCENT 7s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body LW_PORN_PHOTO /Tell our photographers what to do in their next photo session our video/ +#score LW_PORN_PHOTO 5 +#describe LW_PORN_PHOTO Standard 'hot chicks' line +#counts LW_PORN_PHOTO 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts LW_PORN_PHOTO 3s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body LW_PORN_ONLINE /high quality photo's online/ +#score LW_PORN_ONLINE 2 +#describe LW_PORN_ONLINE Standard 'hot chicks' line +#counts LW_PORN_ONLINE 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts LW_PORN_ONLINE 4s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body LW_PORN_MODELS /models getting nasty/ +#score LW_PORN_MODELS 5 +#describe LW_PORN_MODELS Standard 'hot chicks' line +#counts LW_PORN_MODELS 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts LW_PORN_MODELS 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body LW_PORN_HELLO /(?:Hey baby|Hello, stranger!) :\)/ +score LW_PORN_HELLO 1.66 +describe LW_PORN_HELLO Standard 'hot chicks' line +#counts LW_PORN_HELLO 2s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts LW_PORN_HELLO 5s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + + +#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +# set of porn keywords / when these words appear, it's more likely porn. SET A. +body __FVGT_BREASTS /\bbreasts?\b/i +body __FVGT_FUCK /\bfuck/i +body __FVGT_RAPE /\braped?\b/i +body __FVGT_HORNY /\bhorny\b/i +body __FVGT_VIRGIN /\bvirgins?\b/i +body __FVGT_COCK /\bcock\b/i +body __FVGT_LOLITA /\blolita\b/i +body __FVGT_YOUNGGIRL /Young(?:est)? (?:girl|chick)/i +body __FVGT_PUSSY /\bpuss(?:y|ies)/i +body __FVGT_ASS /\sass\s/i +body __FVGT_SLUT /\bslut\b/i + +# meta's to count how many porn words from Set A. +meta FM_PORN_A_4 ((__FVGT_BREASTS + __FVGT_FUCK + __FVGT_RAPE + __FVGT_HORNY + __FVGT_VIRGIN + __FVGT_COCK + __FVGT_LOLITA + __FVGT_YOUNGGIRL + __FVGT_PUSSY + __FVGT_ASS + __FVGT_SLUT) > 2) +meta FM_PORN_A_5 ((__FVGT_BREASTS + __FVGT_FUCK + __FVGT_RAPE + __FVGT_HORNY + __FVGT_VIRGIN + __FVGT_COCK + __FVGT_LOLITA + __FVGT_YOUNGGIRL + __FVGT_PUSSY + __FVGT_ASS + __FVGT_SLUT) > 3) + +score FM_PORN_A_4 1.09 +#counts FM_PORN_A_4 796s/2h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FM_PORN_A_4 243s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + +score FM_PORN_A_5 0.98 +#counts FM_PORN_A_5 358s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FM_PORN_A_5 172s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + + + + +body __HAS_COLLECTION /\bcollection\b/i +body __HAS_HARDCORE /\bhardcore\b/i +body __HAS_YOUNGGIRL /\byoung\s?girls?\b/i +body __HAS_ADOLESCENT /\badolescents?\b/i +body __HAS_CHICKS /\bchicks?\b/i + +meta FP_MIXED_PORN3 ((__HAS_COLLECTION + __HAS_HARDCORE + __HAS_YOUNGGIRL + __HAS_ADOLESCENT + __HAS_CHICKS) > 2) +score FP_MIXED_PORN3 1.66 +#counts FP_MIXED_PORN3 4s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts FP_MIXED_PORN3 5s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + +body SARE_ADULT1 /(?:suck|l[i1]ck).{1,30}(c[o0]ck|d[i1]ck)/i +describe SARE_ADULT1 Contains adult material +score SARE_ADULT1 1.47 +# Original name: FVGT_b_ADULT02 +# 55s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 18s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADULT1 512s/1h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADULT1 129s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_ADULT2 /\b(?:sorority|rock hard|(adu?(l|1)t|XXX) movies?|climatique|orgas(mic|ims?|ms?)|climax|ejactulate|penis|pussy|cunt|blowjob|intercourse|lubricate)\b/i +describe SARE_ADULT2 Contains adult material +score SARE_ADULT2 1.42 +# Original name: MY_XXX_BODY, was rawbody +# 9985s/30h of 119325 corpus (98981s/20344h) 03/21/04 +# 683s/2h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADULT2 4729s/9h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADULT2 2685s/34h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_BETTERORG /(?:boost|magnify|multipl[ey]|increase|frequent|intense|intensify).{1,15}orgasm/i +describe SARE_BETTERORG Talks about getting better orgasms +score SARE_BETTERORG 1.66 +# Original name: YM_B_BETTER_ORG, RM_bpm_MultipleOrgasms +# 592s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 29s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_BETTERORG 249s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BETTERORG 111s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_ENLRGYOUR /enlarge your/i +describe SARE_ENLRGYOUR Talks about "enlarging" something +score SARE_ENLRGYOUR 1.02 +# Original name: MY_EN_PENIS, was rawbody, RE_bpm_EnlargeYour +# 1735s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 91s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ENLRGYOUR 537s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ENLRGYOUR 279s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_LRGPNS /(?:bigger|larger|increase your) (?:member\b|rod)/i +describe SARE_LRGPNS Talks about a "bigger" appendage +score SARE_LRGPNS 1.66 +# Original name: MY_MEMBER combined with MY_LRGROD +# 50s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_LRGPNS 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_LRGPNS 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_PNSSIZE /inch(?:es)? .{0,10}(?:cock|dick)/i +describe SARE_PNSSIZE Talks about the size of male body part +score SARE_PNSSIZE 1.66 +# Original name: YM_B_BODYPART_1 +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_PNSSIZE 5s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_PNSSIZE 2s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_SXLIFE /(?:are you single|sex life|youre? partner)/i +describe SARE_SXLIFE Talks about your sex life +score SARE_SXLIFE 1.07 +# 695s/15h of 119325 corpus (98981s/20344h) 03/21/04 +# 212s/1h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_SXLIFE 991s/12h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SXLIFE 637s/54h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_BEASTUD /be a stud/i +describe SARE_BEASTUD common spammer phrasing +score SARE_BEASTUD 0.26 +# Original name: RM_bpm_BeAStud +# 53s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 7s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_BEASTUD 73s/2h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BEASTUD 20s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_BIGRMEMBER /B.?i.?g.?g.?e.?r.{0,5}M.?e.?m.?b.?e.?r/i +describe SARE_BIGRMEMBER mentions bigger body part +score SARE_BIGRMEMBER 1.66 +# Original name: RM_bpm_BiggerMember +# 17s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_BIGRMEMBER 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BIGRMEMBER 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_INLENGTH /increase.? my length/i +describe SARE_INLENGTH common spammer phrasing +score SARE_INLENGTH 1.66 +# Original name: RM_bpm_IncreaseLength +# 40s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 8s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_INLENGTH 60s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_INLENGTH 20s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_LADYINLIFE /lady in your life/i +#describe SARE_LADYINLIFE Contains phrasing used by spammers +#score SARE_LADYINLIFE 0.166 +# Original name: RM_bpm_LadyInLife +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_LADYINLIFE 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_LADYINLIFE 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_MAGICLUBE /"Magic Lubricant"/i +#describe SARE_MAGICLUBE Spammer phrasing in body of email +#score SARE_MAGICLUBE 2.222 # type=spamgg +# Original name: RM_bpm_MagicLubricant +# 704s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 12s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_MAGICLUBE 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_MAGICLUBE 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_NOEMBARRASS /no embarrassing/i +describe SARE_NOEMBARRASS Wow, I won't be embarrassed anymore! +score SARE_NOEMBARRASS 1.66 +# Original name: RM_bpm_NoEmbarrassing +# 30s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_NOEMBARRASS 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_NOEMBARRASS 1s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_PLEASEPARTNR /Pleasure.{1,10}partner/i +describe SARE_PLEASEPARTNR common spammer phrasing +score SARE_PLEASEPARTNR 1.66 +# Original name: RM_bpm_PleasurePartnr +# 51s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_PLEASEPARTNR 60s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_PLEASEPARTNR 20s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_POWERBOTTLE /"Power Bottle"/i +#describe SARE_POWERBOTTLE Spammer phrasing in body of email +# score SARE_POWERBOTTLE 2.222 # type=spamgg +# Original name: RM_bpm_PowerBottle +# 708s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 12s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_POWERBOTTLE 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_POWERBOTTLE 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_PRODEREC /produce erections/i +#describe SARE_PRODEREC Contains medical spam phrasing +#score SARE_PRODEREC 0.055 +# Original name: RE_bpm_ProdErec +# 1s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_PRODEREC 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_PRODEREC 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_SUPERVIAGRA /(?:super|weekend)[- ]viagra/i +describe SARE_SUPERVIAGRA mentions drug which is often subject of spam +score SARE_SUPERVIAGRA 1.66 # type=spamgg +# Original name: RM_bpm_SuperViagra, RM_bpm_WeekendViagra +# 299s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 11s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_SUPERVIAGRA 136s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SUPERVIAGRA 704s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_ADLTDATING /adult dating/i +describe SARE_ADLTDATING Contains phrasing used by spammers +score SARE_ADLTDATING 0.32 +# Original name: RM_bpp_Adultdating +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTDATING 1s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTDATING 32s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_ADLTPRSNLS /adult personals/i +describe SARE_ADLTPRSNLS Contains phrasing used by spammers +score SARE_ADLTPRSNLS 1.66 +# Original name: RM_bpp_AdultPersonals +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 2s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTPRSNLS 1s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTPRSNLS 13s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_AREUBORED /Are you bored of/i +#describe SARE_AREUBORED Contains phrasing used by spammers +#score SARE_AREUBORED 0.111 +# Original name: RM_bpp_AreYouBored +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 3s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_AREUBORED 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_AREUBORED 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_CHILDPRN1 /child porn/i +describe SARE_CHILDPRN1 contains reference to child porn +score SARE_CHILDPRN1 1.15 # ham: news, FBI auto-responder +# Original name: ChildPorn +# 64s/3h of 119325 corpus (98981s/20344h) 03/21/04 +# 5s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_CHILDPRN1 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_CHILDPRN1 1s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_CHILDPRN2 /child pornography webmaster/i +#describe SARE_CHILDPRN2 contains reference to a child porn webmaster +#score SARE_CHILDPRN2 2.222 # type=spamg +# Original name: RM_bpp_ChildPorn2 +# 9s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_CHILDPRN2 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_CHILDPRN2 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_CHILDPRN3 /underage porn/i +#describe SARE_CHILDPRN3 contains reference to child porn +#score SARE_CHILDPRN3 2.222 # type=spamg +# Original name: RM_bpp_ChildPorn3 +# 28s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 5s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_CHILDPRN3 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_CHILDPRN3 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_TOWRITE /decided to write/i +describe SARE_TOWRITE Contains phrasing used by spammers +score SARE_TOWRITE 1.05 +# Original name: RM_bpp_DecidedToWrite +# 41s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 2s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_TOWRITE 6s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_TOWRITE 11s/3h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_DRMWOMAN /your dream woman/i +#describe SARE_DRMWOMAN Contains phrasing used by spammers +#score SARE_DRMWOMAN 0.055 +# Original name: RM_bpp_DreamWoman +# 1s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_DRMWOMAN 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_DRMWOMAN 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_GETFCK /get fuck/i +describe SARE_GETFCK Contains phrasing used by spammers +score SARE_GETFCK 1.66 # type=spamp +# Original name: RM_bpp_GetFucked +# 22s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 8s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_GETFCK 71s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_GETFCK 32s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_GIRLSDOANY /girls will do anything/i +#describe SARE_GIRLSDOANY Contains phrasing used by spammers +#score SARE_GIRLSDOANY 0.166 +# Original name: RM_bpp_GirlsDoAny +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 3s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_GIRLSDOANY 1s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_GIRLSDOANY 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_HORNY2 /horny as hell/i +#describe SARE_HORNY2 Contains phrasing used by spammers +#score SARE_HORNY2 0.222 +# Original name: RM_bpp_HornyAsHell +# 4s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 3s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_HORNY2 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_HORNY2 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_MOMBLOW /mother blows/i +#describe SARE_MOMBLOW textual phrase implies porn spam +#score SARE_MOMBLOW 0.111 +# Original name: RM_bpp_MotherBlows +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_MOMBLOW 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_MOMBLOW 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_BADGIRLS /(?:amateur|horny|asian) girls/i +describe SARE_BADGIRLS Contains phrasing used by spammers +score SARE_BADGIRLS 0.52 +# Original name: RM_bpp_PornGirls +# 12s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 9s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_BADGIRLS 21s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BADGIRLS 5s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_QLTYSINGLES /quality singles/i +describe SARE_QLTYSINGLES Contains phrasing seen in spam +score SARE_QLTYSINGLES 1.66 +# Original name: RM_bpp_QualitySingles +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_QLTYSINGLES 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_QLTYSINGLES 1s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_HORNY1 /so hoo+rny/i +#describe SARE_HORNY1 Contains phrasing used by spammers +#score SARE_HORNY1 1.000 # type=spamp +# Original name: SoHorny +# 1s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_HORNY1 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_HORNY1 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_SONSDICK /son's dick/i +#describe SARE_SONSDICK textual phrase implies porn spam +#score SARE_SONSDICK 1.000 # type=spamp +# Original name: SonsDick +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_SONSDICK 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SONSDICK 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_STILLSINGLE /still single/i +describe SARE_STILLSINGLE Contains phrasing used by spammers +score SARE_STILLSINGLE 1.66 +# Original name: RM_bpp_StillSingle +# 11s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 5s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_STILLSINGLE 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_STILLSINGLE 71s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_UNDRESSMTHR /undressed mother/i +#describe SARE_UNDRESSMTHR textual phrase implies porn spam +#score SARE_UNDRESSMTHR 0.200 +# Original name: RM_bpp_UndressedMother +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_UNDRESSMTHR 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_UNDRESSMTHR 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_HOUSEWIVES /housewives/i +describe SARE_HOUSEWIVES Mentions housewives, as in porn or in-home biz +score SARE_HOUSEWIVES 0.99 +# Original name: RM_bwp_housewives +# 138s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 18s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_HOUSEWIVES 13s/3h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_HOUSEWIVES 37s/6h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_SCHLGRL /schoolgirls/i +describe SARE_SCHLGRL mentions schoolgirls, as in porn +score SARE_SCHLGRL 1.29 +# Original name: RM_bwp_schoolgirls +# 11s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_SCHLGRL 15s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SCHLGRL 19s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +############################### +# OBFU body rules # +############################### + +body SARE_ADLTOBFU /\b(?:adu?1t|amb[1!]en|b0y|bl0w|c0cks?|c0re|d0main|f?r0m|g(?:[1!]r[1l]|ir[!1])|[1!]ntercourse|l1ttle|l0se|mai1|manh00d|m0vie|[0o]rg\@sm|p[0\@]rn|p1ct|pen[1!]s|(?:ph|f)(?:[0\@]t|ot[0\@])|pu[s5]{1,2}[1!]e[s5]|secks|sm00th|t1ny|t1ts|v(?:irg1|1rgi|1rg1)n|v[i1]de0|y0ung|y0ur)/i +describe SARE_ADLTOBFU Contains OBFU adult material +score SARE_ADLTOBFU 0.68 +# Combined from FVGT_b_N0N0_WORDS, OACYS_DISGUISED_P0RN, M_K_N0N0_WORDS_BODY +# 768s/1h of 119325 corpus (98981s/20344h) 03/21/04 +# 89s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_ADLTOBFU 930s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_ADLTOBFU 663s/10h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_OBFUENLARGE /\b(?!enlarge)e.?n.?l.?a.?r.?g.?e/i +describe SARE_OBFUENLARGE masked spam word(s) +score SARE_OBFUENLARGE 1.66 # type=obfu +# Original name: RM_bwo_Enlarge +# 478s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 18s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUENLARGE 15s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUENLARGE 466s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUFCK1 /(?!\bfuck)(?:\bf|\B(?:\xC5\xBF|\xC6\x92|\xD2[\x92-\x93]))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[uv\xB5\xD9-\xDC\xF9-\xFC]|\xC5[\xA8-\xB3]|\xC6[\xAF-\xB0]|\xC7[\x93-\x9C]|\xCE\xB0|\xCE\xBC|\xCF\x8B|\xCF\x8D|\xD4\xB1|\xD5\x84|\xD5\x8D)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\xC7\xE7\xA2\xA9]|\xC4[\x86-\x8D]|\xD0\xA1|\xD1\x81)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:k|\xC4[\xB6-\xB8]|\xCE\x9A|\xCE\xBA|\xD0\x8C|\xD0\x9A|\xD0\xBA|\xD1\x9C|\xD2[\x9A-\x9D]])/i +#describe SARE_OBFUFCK1 Apparent spam seems to contain porn subject +#score SARE_OBFUFCK1 1.666 # type=obfu +# Original name: RM_bwo_Fucko1 +# 42s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 23s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUFCK1 19s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUFCK1 35s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_OBFUFCK2 /(?!\bfun?ck)\bf.?u.?c.?k/i +describe SARE_OBFUFCK2 Apparent spam seems to contain porn subject +score SARE_OBFUFCK2 1.00 # type=obfu +# Original name: RM_bwo_Fucko2 +# 70s/1h of 119325 corpus (98981s/20344h) 03/21/04 +# 29s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUFCK2 56s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUFCK2 73s/3h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUGNGBNG /(?!\bgangbang(ed)?\b)(?:\b[g6]|\B(?:\xC4[\x9C-\xA3]))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[b8\xDF]|\xCE\x92|\xCE\xB2|\xD0\x92|\xD0\xB2)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])((?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[d\xD0]|\xC4[\x8E-\x91]))?\b/i +#describe SARE_OBFUGNGBNG masked spam word(s) +#score SARE_OBFUGNGBNG 2.5 # type=obfu +# Original name: RM_bwo_Gangbang +# 2s/0h of 15929 corpus (13729s/2200h) 03/23/04 +# 3s/0h of 119325 corpus (98981s/20344h) 03/21/04 +#counts SARE_OBFUGNGBNG 11s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUGNGBNG 1s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUGIRLS /(?!\bgirls?\b)(?:\b[g6]|\B(?:\xC4[\x9C-\xA3]))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)?\b/i +#describe SARE_OBFUGIRLS masked spam word(s) +#score SARE_OBFUGIRLS 3.222 # type=obfu # ham: jpg +# Original name: RM_bwo_Girls +# 25s/1h of 15929 corpus (13729s/2200h) 03/23/04 +# 318s/1h of 119325 corpus (98981s/20344h) 03/21/04 +#counts SARE_OBFUGIRLS 112s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUGIRLS 13s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUPENIS /(?!\bpen ?is\b)(?:\bp|\B(?:[\xDE]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5]\b|(?:[\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)\B)/i +#describe SARE_OBFUPENIS masked spam word(s) +#score SARE_OBFUPENIS 2.333 # type=obfu +# Original name: RM_bwo_Penis +# 1027s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 91s/1h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUPENIS 516s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUPENIS 578s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUPORNO /(?!\bporno?\b)(?:\bp|\B(?:[\xDE]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)?\b/i +#describe SARE_OBFUPORNO masked spam word(s) +# score SARE_OBFUPORNO 2.500 # type=obfu +# Original name: RM_bwo_Porno +# 266s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 36s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUPORNO 43s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUPORNO 22s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUPUSS /(?!\bpussies\b)(?:\bp|\B(?:[\xDE]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[uv\*\xB5\xD9-\xDC\xF9-\xFC]|\xC5[\xA8-\xB3]|\xC6[\xAF-\xB0]|\xC7[\x93-\x9C]|\xCE\xB0|\xCE\xBC|\xCF\x8B|\xCF\x8D|\xD4\xB1|\xD5\x84|\xD5\x8D)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5]\b|(?:[\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)\B)/i +#describe SARE_OBFUPUSS masked spam word(s) +#score SARE_OBFUPUSS 2.500 # type=obfu +# Original name: RM_bwo_Pussies +# 28s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 27s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUPUSS 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUPUSS 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_OBFUSEXUAL /\b(?!Sexual)S.?e.?x.?u.?a.?l/i +describe SARE_OBFUSEXUAL masked spam word(s) +score SARE_OBFUSEXUAL 1.66 # type=obfu +# Original name: +# 409s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 27s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUSEXUAL 676s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUSEXUAL 373s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUTEENS /(?!\bteens?\b)(?:\bt|\B(?:[\+]|\xC5[\xA2-\xA7]|\xCE\xA4|\xCF\x84|\xD0\xA2|\xD1\x82))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)?\b/i +#describe SARE_OBFUTEENS masked spam word(s) +#score SARE_OBFUTEENS 2.500 # type=obfu +# Original name: RM_bwo_Teens +# 28s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 4s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUTEENS 1s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUTEENS 1s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_OBFUTESTO /\b(?!testosterone)t.?e.?s.?t.?o.?s.?t.?e.?r.?o.?n.?e/i +describe SARE_OBFUTESTO masked spam word(s) +score SARE_OBFUTESTO 1.66 # type=obfu +# Original name: RM_bwo_Testosterone +# 10s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUTESTO 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUTESTO 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUVRGN /(?!\bvirgins?\b)(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[g6]|\xC4[\x9C-\xA3]])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)?\b/i +#describe SARE_OBFUVRGN masked spam word(s) +#score SARE_OBFUVRGN 2.500 # type=obfu +# Original name: RM_bwo_Virgins +# 25s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 16s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_OBFUVRGN 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUVRGN 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_SPRDLGS /spread(?:ing)? their leg/i +#describe SARE_SPRDLGS Contains possible adult phrase +#score SARE_SPRDLGS 0.222 +# 4s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_SPRDLGS 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SPRDLGS 2s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_RPTLETTERS /(?!\b(?:ass|cock|pussy)\b)\b(?:a+s+s+|c+o+c+k+|p+u+s+s+y+)\b/i +describe SARE_RPTLETTERS Contains mis-spelled adult phrase(s) +score SARE_RPTLETTERS 1.66 +# 5s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 2s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_RPTLETTERS 15s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_RPTLETTERS 1s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_SEXDRIVE /\bSex(?:ual)? Drive/i +describe SARE_SEXDRIVE Talks about sex drive +score SARE_SEXDRIVE 1.66 +# Original name: RM_bpm_SexDrive +# 589s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 141s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_SEXDRIVE 239s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SEXDRIVE 531s/5h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_BETTERSEX /better sex/i +describe SARE_BETTERSEX Spammer phrasing in body of email +score SARE_BETTERSEX 1.66 +# Original name: RM_bpm_BetterSex +# 157s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 8s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_BETTERSEX 292s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_BETTERSEX 262s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +body SARE_SEXENHANCER /sex(?:ual)? enhancer/i +describe SARE_SEXENHANCER mentions spam topic +score SARE_SEXENHANCER 1.66 # type=spamp +# Original name: RM_bpm_SexEnhancer +# 11s/0h of 125078 corpus (104890s/20188h) 03/29/04 +# 11s/0h of 15929 corpus (13729s/2200h) 03/29/04 +#counts SARE_SEXENHANCER 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_SEXENHANCER 7s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +#body SARE_OBFUHARDCORE /(?!hard[ -]?core)(?:\bh|\B(?:\xC4[\xA4-\xA7]|\xCE\x89|\xCE\x97|\xD0\x9D|\xD0\xBD|\xD1\x92|\xD2[\xA2-\xA3]|\xD2[\xBA-\xBB]|\xD5\xB0))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[d\xD0]|\xC4[\x8E-\x91])[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|\xC4[\x86-\x8D]|\xD0\xA1|\xD1\x81)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3]\b|(?:[\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)\B)/i +#describe SARE_OBFUHARDCORE masked spam word(s) +#score SARE_OBFUHARDCORE 1.433 # type=obfu +# Original name: RM_bwo_hardcore +# 32s/0h of 98440 corpus (76828s/21612h) 05/09/04 +#counts SARE_OBFUHARDCORE 4s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_OBFUHARDCORE 3s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + + +############################### +# uri rules # +############################### + +#uri SARE_PNSPTCH /\bbolik34\b/i +#describe SARE_PNSPTCH Terra.es penil patch spammer +#score SARE_PNSPTCH 1.5 # was .33 +# Original name: MAKEPENIBIG +# 277s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/23/04 +#counts SARE_PNSPTCH 0s/0h of 42056 corpus (34127s/7929h FVGT) 04/19/06 +#counts SARE_PNSPTCH 0s/0h of 140226 corpus (90162s/50064h DOC) 04/19/06 + + +# EOF diff --git a/common/sare/70_sare_header.cf b/common/sare/70_sare_header.cf new file mode 100644 index 0000000..f696075 --- /dev/null +++ b/common/sare/70_sare_header.cf @@ -0,0 +1,5677 @@ +# SARE Header Abuse Ruleset for SpamAssassin -- file 0 +# Version: 01.03.16 +# Created: 2004-04-25 +# Modified: 2005-10-28 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.16 Oct 28 2005 +#@@# Minor score updates based on additional mass-check +#@@# Added to file 0: SARE_FRM_HOODIA +#@@# Added to file 0: SARE_HEAD_HDR_XIDSRVR +#@@# Added to file 0: SARE_RECV_IP_064069032 +#@@# Added to file 0: SARE_RECV_IP_066059094 +#@@# Added to file 0: SARE_RECV_IP_066159017 +#@@# Added to file 0: SARE_RECV_IP_204010039 +#@@# Added to file 0: SARE_XMAIL_LEO +#@@# Moved file 0 to file 1: SARE_BOUNDARY_LC +#@@# Moved file 0 to file 1: SARE_FREE_WEBM_FrVoila +#@@# Moved file 0 to file 1: SARE_HEAD_HDR_XBBOUNC +#@@# Moved file 0 to file 1: SARE_HEAD_XWORD +#@@# Moved file 0 to file 1: SARE_RECV_IP_066165224 +#@@# Moved file 0 to file 1: SARE_RECV_IP_218088 +#@@# Moved file 0 to file 1: SARE_XMAIL_TOLMAIL +#@@# Moved file 0 to file 2: SARE_RECV_IP_063111025 +#@@# Moved file 0 to file 2: SARE_RECV_RANDOM +#@@# Moved file 0 to file x31: SARE_MULT_RATW_02 to x31 file; RATWARE_NAME_ID is now in version 3.1.0 +#@@# Moved file 1 to file 0: SARE_HEAD_XMIMEO_MS +#@@# Moved file 1 to file 0: SARE_RECV_IP_069060122 +#@@# Moved file 1 to file 0: SARE_XMAIL_DYNAMAILER +#@@# Moved file 2 to file 0: SARE_HEAD_HDR_XE +#@@# Replaced __SARE_HEAD_HDR_MIMEV in SARE_HEAD_MIME_INVALID with SA 2.60 rule __MIME_VERSION +#@@# Replaced __SARE_HEAD_MAIL_BAT1 in SARE_HEAD_BAT_WEB with SA 3.1.0 rule __THEBAT_MUA + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_header0.cf +# +# Usage: This family of files, 70_sare_header*.cf, contain rules that test email headers +# (except the Subject header, which is handled in the 70_sare_genlsubj*.cf family of files). +# +# File 0: 70_sare_header0.cf -- These are header rules that hit at least 10 spam and no ham. +# While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham. +# This is a rules file we expect any/all email systems using SpamAssassin to benefit from. +# +# File 1: 70_sare_header1.cf -- These are header rules that meet one of the follow criteria: +# a) Rules that do, or in the past have hit ham during SARE mass-check tests +# b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run. +# If the rules hit ham, they hit at last 10 spam to each 1 ham. +# With few exceptions these rules score significantly less than the rules in file 0. +# Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset, +# pick and choose among its rules, or lower their scores. +# Systems that use this file 1 should ALSO use file 0. +# +# File 2: 70_sare_header2.cf -- These header rules hit no spam at this time, but they are considered "safe" rules that should never hit ham. +# These are primarily rules that test for specific headers seen only in spam, or similar types of "pretty darn sure" rules. +# Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead, +# but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file. +# +# File 3: 70_sare_header3.cf -- These are header rules that hit a significant amount of ham during SARE mass-check tests. +# Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# File 4: 70_sare_header4.cf -- These are header rules that meet one of the following criteria: +# a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems. +# b) They hit no emails at this time, but have been recommended by anti-spam sources (such as rules developed from Spam-L list reports). +# Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# eng: 70_sare_header_eng.cf -- These are header rules which work well within the English language, but are liable to cause false +# positives in other languages. They include rules which test for letter combinations and encoded header headers. Systems that +# receive ham in languages other than English should NOT use this file. +# +# x264_x30: 70_sare_header_x264_x30.cf -- These are header rules which have been incorporated into both SpamAssassin 2.64 and 3.0.x, +# or which duplicate or greatly overlap both 3.0.x rules. +# Systems which have installed SpamAssassin version 2.64 or 3.0.x should therefore NOT use this file. +# +# x30: 70_sare_header_x30.cf -- These are header rules which have been incorporated into SpamAssassin 3.0.x, +# or which duplicate or greatly overlap 3.0.x rules. +# Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file. +# +# arc: 70_sare_header_arc.cf -- These are header rules that once were published in other files, but which have since lost all value. +# They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam. +# SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but +# we expect that nobody will be running these rules in any production system. + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_SUBJ 17149s/110h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_SUBJ 3478s/2h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_SUBJ 2s/1h of 26190 corpus (22790s/3400h MY) 02/15/05 + +######## ###################### ################################################## +# Meta rules used to prevent --lint errors after moving/changing rules +######## ###################### ################################################## + +meta SARE_HEAD_HDR_APPROV 0 +meta SARE_HEAD_HDR_CONVWLS 0 +meta SARE_HEAD_HDR_DISCREC 0 +meta SARE_HEAD_HDR_XENC 0 +meta SARE_HEAD_HDR_XENVID 0 +meta SARE_HEAD_HDR_XMAILID 0 +meta SARE_HEAD_HDR_XTID 0 +meta SARE_FROM_PRINTER 0 +meta SARE_FROM_DEBT 0 +meta SARE_FROM_DVDCOPY 0 +meta SARE_FROM_SPAM_CHAR0 0 +meta SARE_FREE_WEBM_Jpop 0 +meta SARE_FREE_WEBM_NETCITY 0 +meta SARE_FREE_WEBM_ZCom03 0 +meta SARE_MSGID_LONG 0 +meta SARE_HELO_YAHOO 0 +meta SARE_RECV_SPAM_DOMN0a 0 +meta SARE_RECV_SPAM_DOMN02 0 +meta SARE_RECV_VIRTUACOMBR 0 +meta SARE_RECV_IP_066111 0 +meta SARE_RECV_IP_081019 0 +meta SARE_RECV_IP_082154 0 +meta SARE_RECV_IP_195229 0 +meta SARE_RECV_IP_200150 0 +meta SARE_RECV_IP_218216 0 +meta SARE_RECV_IP_222000 0 +meta SARE_RECV_IP_222126 0 +meta SARE_XMAIL_PSSMAILER 0 +meta SARE_XMAIL_RLSP 0 +meta SARE_MULT_VIA_CITIZNET 0 +meta SARE_FROM_SUPPORT_DIG 0 +meta SARE_TOCC_BCC_MANY 0 +meta SARE_HEAD_HDR_EPATH 0 +meta SARE_HEAD_HDR_XAR 0 +meta SARE_HEAD_HDR_XNOSPAM 0 +meta SARE_FROM_QUOTE 0 +meta SARE_FROM_SPACE2 0 +meta SARE_MSGID_EMPTY 0 +meta SARE_RECV_SPAM_DOMN81 0 +meta SARE_RECV_SPAM_NAME0 0 +meta SARE_FROM_SPAM_NAME0 0 +meta SARE_HEAD_HDR_XAUTOGN 0 +meta SARE_HEAD_HDR_XCCDIAG 0 +meta SARE_HEAD_HDR_XMLFILT 0 +meta SARE_HELO_MAIL 0 +meta SARE_HEAD_HDR_XACWGHT 0 +meta SARE_HEAD_HDR_XMCAVTP 0 +meta SARE_USERAG_Dig 0 +meta SARE_HEAD_HDR_XUNOLOOK 0 +meta SARE_MSGID_2KDD 0 +meta SARE_REPLY_SPAMWORD0 0 +meta SARE_FROM_SPAM_WORD0 0 +meta SARE_TOCC_COMBO1 0 +meta SARE_FROM_UK2NET2 0 +meta SARE_FREE_WEBM_NetSafe 0 +meta SARE_FREE_WEBM_ZCom02 0 +meta SARE_RECV_SKANOVA 0 +meta SARE_RECV_IP_061050 0 +meta SARE_RECV_IP_140117 0 +meta SARE_RECV_IP_211216 0 +meta SARE_TO_EMPTY 0 +meta SARE_HEAD_8BIT_SPAM 0 +meta SARE_RECV_SPAM_DOMN3 0 +meta SARE_BOUNDARY_D8 0 +meta SARE_HEAD_HDR_XCONTAC 0 +meta SARE_RECV_IP_066114b 0 +meta SARE_BOUNDARY_05 0 +meta SARE_BOUNDARY_06 0 +meta SARE_FREE_WEBM_ZZa001 0 +meta SARE_FROM_CAPS_MSN 0 +meta SARE_FROM_NUM_9DIG 0 +meta SARE_FROM_SPAM_DOMN0 0 +meta SARE_FROM_SPAM_PL1 0 +meta SARE_HEAD_8BIT_DATE 0 +meta SARE_HEAD_8BIT_NOSPM 0 +meta SARE_HEAD_DATE14 0 +meta SARE_HEAD_DATE_5L 0 +meta SARE_HEAD_HDR_XLISTAD 0 +meta SARE_HEAD_HDR_XRIPE 0 +meta SARE_HEAD_HDR_XWTID 0 +meta SARE_HEAD_HDR_XWTVERS 0 +meta SARE_HELO_SERVER 0 +meta SARE_MSGID_D1D1D2D16 0 +meta SARE_RECV_BEZEQINT_B 0 +meta SARE_RECV_IP_061072 0 +meta SARE_RECV_IP_061190 0 +meta SARE_RECV_IP_061228 0 +meta SARE_RECV_IP_062023 0 +meta SARE_RECV_IP_192116 0 +meta SARE_RECV_IP_203177 0 +meta SARE_RECV_IP_218078 0 +meta SARE_RECV_IP_221124 0 +meta SARE_RECV_IP_222064 0 +meta SARE_RECV_ISWEST 0 +meta SARE_RECV_PATMEDIA 0 +meta SARE_BOUNDARY_NP2 0 +meta SARE_CONTENT_BITBITNUM 0 +meta SARE_FROM_VIRUS1 0 +meta SARE_HEAD_HDR_JLH 0 +meta SARE_HEAD_HDR_RTNPATH 0 +meta SARE_MULT_RATW_03 0 +meta SARE_RECV_IP_064192191 0 +meta SARE_BOUNDARY_D10 0 +meta SARE_HEAD_HDR_XMAILTH 0 +meta SARE_HEAD_HDR_XMLRSRV 0 +meta SARE_HEAD_HDR_XSMTPSV 0 +meta SARE_HEAD_HDR_XUMAIL 0 +meta SARE_MSGID_LONG50 0 +meta SARE_RECV_SPAM_DOMN04 0 +meta SARE_XMAIL_GOMAIL 0 +meta SARE_HEAD_8BIT_RECV 0 +meta SARE_RECV_FEP5 0 +meta SARE_RECV_IP_203210128 0 +meta SARE_RECV_SPAM_DOMN06 0 +meta SARE_FREE_WEBM_ZCom05 0 +meta SARE_HEAD_XUNSENT 0 +meta SARE_RECV_IP_069050210 0 +meta SARE_RECV_IP_206131 0 +meta SARE_RECV_IP_206248152 0 +meta SARE_RECV_PORTHELO_1 0 +meta SARE_RECV_PORTHELO_2 0 +meta SARE_RECV_PORTHELO_3 0 +meta SARE_RECV_CHAR_CARAT 0 +meta SARE_MULT_RATW_02 0 +meta SARE_BOUNDARY_LC 0 +meta SARE_FREE_WEBM_FrVoila 0 +meta SARE_RECV_IP_066165224 0 +meta SARE_RECV_IP_218088 0 +meta SARE_XMAIL_TOLMAIL 0 +meta SARE_RECV_IP_063111025 0 +meta SARE_RECV_RANDOM 0 +meta SARE_BOUNDARY_LC 0 +meta SARE_FREE_WEBM_FrVoila 0 +meta SARE_HEAD_XWORD 0 +meta SARE_RECV_IP_066165224 0 +meta SARE_RECV_IP_218088 0 +meta SARE_XMAIL_TOLMAIL 0 +meta SARE_RECV_IP_063111025 0 +meta SARE_RECV_RANDOM 0 +meta SARE_MULT_RATW_02 0 +meta SARE_HEAD_HDR_XBBOUNC 0 +meta SARE_RECV_IP_071004246 0 + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_CONVER exists:Conversion +describe SARE_HEAD_HDR_CONVER Message headers used which identify spam +score SARE_HEAD_HDR_CONVER 1.111 +#stype SARE_HEAD_HDR_CONVER spamp +#counts SARE_HEAD_HDR_CONVER 12s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_CONVER 54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_CONVER 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_CONVER 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_CONVER 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_HEAD_HDR_DISPNOP exists:Disposition-Notification-Options +describe SARE_HEAD_HDR_DISPNOP Message headers used which identify spam +score SARE_HEAD_HDR_DISPNOP 1.111 +#stype SARE_HEAD_HDR_DISPNOP spamp +#counts SARE_HEAD_HDR_DISPNOP 16s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_DISPNOP 60s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_DISPNOP 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_DISPNOP 13s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_DISPNOP 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_DISPNOP 14s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_LANG exists:Language +describe SARE_HEAD_HDR_LANG Message headers used which identify spam +score SARE_HEAD_HDR_LANG 1.666 +#stype SARE_HEAD_HDR_LANG spamp +#counts SARE_HEAD_HDR_LANG 122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_HDR_LANG 413s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_LANG 78s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_LANG 86s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_LANG 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_HEAD_HDR_LANG 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_HDR_LANG 19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_LANG 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_LANG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_NLETRID exists:Newsletter-ID +describe SARE_HEAD_HDR_NLETRID Message headers used which identify spam +score SARE_HEAD_HDR_NLETRID 1.666 +#stype SARE_HEAD_HDR_NLETRID spamp +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#max SARE_HEAD_HDR_NLETRID 173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_HEAD_HDR_NLETRID 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_HDR_NLETRID 28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_NLETRID 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_PID exists:PID +describe SARE_HEAD_HDR_PID Message headers used which identify spam +score SARE_HEAD_HDR_PID 1.666 +#stype SARE_HEAD_HDR_PID spamp +#counts SARE_HEAD_HDR_PID 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_PID 139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_PID 36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_PID 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_PREVNDR exists:Prevent-NonDelivery-Report +describe SARE_HEAD_HDR_PREVNDR Message headers used which identify spam +score SARE_HEAD_HDR_PREVNDR 1.666 +#stype SARE_HEAD_HDR_PREVNDR spamp +#counts SARE_HEAD_HDR_PREVNDR 19s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_PREVNDR 129s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_PREVNDR 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_PREVNDR 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_PREVNDR 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_PREVNDR 21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XBNCETR exists:X-BounceTrace +describe SARE_HEAD_HDR_XBNCETR Message headers used which identify spam +score SARE_HEAD_HDR_XBNCETR 1.111 +#stype SARE_HEAD_HDR_XBNCETR spamp +#counts SARE_HEAD_HDR_XBNCETR 96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCAMPIDZ exists:X-Campidz +describe SARE_HEAD_HDR_XCAMPIDZ Message headers used which identify spam +score SARE_HEAD_HDR_XCAMPIDZ 2.333 +#stype SARE_HEAD_HDR_XCAMPIDZ spamp +#counts SARE_HEAD_HDR_XCAMPIDZ 2171s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCLIHST exists:X-ClientHost +describe SARE_HEAD_HDR_XCLIHST Message headers used which identify spam +score SARE_HEAD_HDR_XCLIHST 2.888 +#stype SARE_HEAD_HDR_XCLIHST spamp +#counts SARE_HEAD_HDR_XCLIHST 7465s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCLIHST 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XCLIHST 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_HEAD_HDR_XCLIHST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCLIHST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XE exists:X-E +describe SARE_HEAD_HDR_XE Message headers used which identify spam +score SARE_HEAD_HDR_XE 1.666 +#counts SARE_HEAD_HDR_XE 810s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCSIP exists:X-CS-IP +describe SARE_HEAD_HDR_XCSIP Message headers used which identify spam +score SARE_HEAD_HDR_XCSIP 1.666 +#stype SARE_HEAD_HDR_XCSIP spamp +#hist SARE_HEAD_HDR_XCSIP FH_HAS_CS_IP +#counts SARE_HEAD_HDR_XCSIP 155s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_XCSIP 590s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XCSIP 101s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XCSIP 127s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_HEAD_HDR_XCSIP 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XCSIP 136s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCSIP 13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_XCSIP 98s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_XCSIP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XEMAIL exists:X-EMail +describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam +score SARE_HEAD_HDR_XEMAIL 1.666 +#stype SARE_HEAD_HDR_XEMAIL spamp +#counts SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XENCVER exists:X-Encoding-Version +describe SARE_HEAD_HDR_XENCVER Message headers used which identify spam +score SARE_HEAD_HDR_XENCVER 1.666 +#stype SARE_HEAD_HDR_XENCVER spamp +#counts SARE_HEAD_HDR_XENCVER 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XFIND exists:X-Find +describe SARE_HEAD_HDR_XFIND Message headers used which identify spam +score SARE_HEAD_HDR_XFIND 1.666 +#stype SARE_HEAD_HDR_XFIND spamp +#counts SARE_HEAD_HDR_XFIND 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XGMAILA exists:X-Gmail-Account +describe SARE_HEAD_HDR_XGMAILA Message headers used which identify spam +score SARE_HEAD_HDR_XGMAILA 1.111 +#stype SARE_HEAD_HDR_XGMAILA spamp +#counts SARE_HEAD_HDR_XGMAILA 3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XGMAILA 20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XGMXAV exists:X-GMX-Antivirus +describe SARE_HEAD_HDR_XGMXAV Message headers used which identify spam +score SARE_HEAD_HDR_XGMXAV 1.666 +#counts SARE_HEAD_HDR_XGMXAV 171s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_XGMXAV 199s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XGMXAV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XGMXAV 33s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XGMXAV 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XGMXAV 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XGMXAV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XGMXAV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XIDSRVR exists:X-Identity-Server +describe SARE_HEAD_HDR_XIDSRVR Message headers used which identify spam +score SARE_HEAD_HDR_XIDSRVR 1.111 +#stype SARE_HEAD_HDR_XIDSRVR spamp +#hist SARE_HEAD_HDR_XIDSRVR Bob Menschel, June 3 2005, idea by Alex Broens +#counts SARE_HEAD_HDR_XIDSRVR 15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 + +header SARE_HEAD_HDR_XRMDTXT exists:X-RMD-Text +describe SARE_HEAD_HDR_XRMDTXT Message headers used which identify spam +score SARE_HEAD_HDR_XRMDTXT 1.111 +#stype SARE_HEAD_HDR_XRMDTXT spamp +#counts SARE_HEAD_HDR_XRMDTXT 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XRMDTXT 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRMVADR exists:X-Remove-Address +describe SARE_HEAD_HDR_XRMVADR Message headers used which identify spam +score SARE_HEAD_HDR_XRMVADR 1.111 +#stype SARE_HEAD_HDR_XRMVADR spamp +#counts SARE_HEAD_HDR_XRMVADR 38s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_XRMVADR 42s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_HEAD_HDR_XRMVADR 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRMVADR 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_HEAD_HDR_XRSPCID exists:X-Responder-CID +describe SARE_HEAD_HDR_XRSPCID Message headers used which identify spam +score SARE_HEAD_HDR_XRSPCID 1.111 +#stype SARE_HEAD_HDR_XRSPCID spamp +#counts SARE_HEAD_HDR_XRSPCID 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRSPRID exists:X-Responder-ID +describe SARE_HEAD_HDR_XRSPRID Message headers used which identify spam +score SARE_HEAD_HDR_XRSPRID 1.111 +#stype SARE_HEAD_HDR_XRSPRID spamp +#counts SARE_HEAD_HDR_XRSPRID 71s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRSPRID 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_HDR_XRSPRID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRSPRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_HEAD_HDR_XRSPUSR exists:X-Responder-USR +describe SARE_HEAD_HDR_XRSPUSR Message headers used which identify spam +score SARE_HEAD_HDR_XRSPUSR 1.111 +#stype SARE_HEAD_HDR_XRSPUSR spamp +#counts SARE_HEAD_HDR_XRSPUSR 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSPAMTST exists:X-SpamTest-Info +describe SARE_HEAD_HDR_XSPAMTST Message headers used which identify spam +score SARE_HEAD_HDR_XSPAMTST 1.111 +#stype SARE_HEAD_HDR_XSPAMTST spamp +#hist SARE_HEAD_HDR_XSPAMTST Bob Menschel, May 14, 2005 +#counts SARE_HEAD_HDR_XSPAMTST 43s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_XSPAMTST 57s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_HEAD_HDR_XSPTRID exists:X-SP-Track-ID +describe SARE_HEAD_HDR_XSPTRID Message headers used which identify spam +score SARE_HEAD_HDR_XSPTRID 1.666 +#stype SARE_HEAD_HDR_XSPTRID spamp +#hist SARE_HEAD_HDR_XSPTRID FH_XSPTRACK +#counts SARE_HEAD_HDR_XSPTRID 593s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XUOLSRV exists:X-UOL-Srv +describe SARE_HEAD_HDR_XUOLSRV Message headers used which identify spam +score SARE_HEAD_HDR_XUOLSRV 1.111 +#stype SARE_HEAD_HDR_XUOLSRV spamp +#counts SARE_HEAD_HDR_XUOLSRV 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XWCMID exists:X-WCMailID +describe SARE_HEAD_HDR_XWCMID Message headers used which identify spam +score SARE_HEAD_HDR_XWCMID 2.222 +#counts SARE_HEAD_HDR_XWCMID 1011s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XWEBMTM exists:X-Webmail-Time +describe SARE_HEAD_HDR_XWEBMTM Message headers used which identify spam +score SARE_HEAD_HDR_XWEBMTM 1.666 +#stype SARE_HEAD_HDR_XWEBMTM spamp +#counts SARE_HEAD_HDR_XWEBMTM 237s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_HDR_XWEBMTM 351s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XWEBMTM 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_HEAD_HDR_XWEBMTM 78s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XWEBMTM 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XWEBMTM 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWEBMTM 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_XWEBMTM 41s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_XWEBMTM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_02 Content-Type =~ /boundary\=('|\")?\~{10,}/ +describe SARE_BOUNDARY_02 Too many ~'s in the boundary. +score SARE_BOUNDARY_02 0.650 +#hist SARE_BOUNDARY_02 MY_BOUNDARY2 +#counts SARE_BOUNDARY_02 37s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_02 51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_BOUNDARY_02 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_02 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_03 Content-Type =~ /boundary="-{10}[A-F0-9]{20,}"/ +describe SARE_BOUNDARY_03 Content type boundary used in spam or virus +score SARE_BOUNDARY_03 1.666 +#stype SARE_BOUNDARY_03 spamp +#hist SARE_BOUNDARY_03 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_03 59s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_03 132s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_03 0s/0h of 13447 corpus (11336s/2111h MY) 06/02/04 +#counts SARE_BOUNDARY_03 590s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_03 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_03 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_10 Content-Type =~ /boundary=\"----[a-z\d]{10}-[\w\.]+\"$/is +describe SARE_BOUNDARY_10 Possible spam flag +score SARE_BOUNDARY_10 2.333 +#hist SARE_BOUNDARY_10 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_10 1831s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_10 2495s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_10 117s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_10 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_10 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_11 Content-Type =~ /boundary=\"--\d{2,7}-\d{2,7}-\d{2,7}\"/ +score SARE_BOUNDARY_11 1.344 +describe SARE_BOUNDARY_11 Possible spam flag +#hist SARE_BOUNDARY_11 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_11 77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_11 125s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_BOUNDARY_11 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_11 38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_11 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_11 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_12 Content-Type =~ /boundary=\"--[a-z]+\d+[a-z]+"/ # no /i +describe SARE_BOUNDARY_12 Possible spam flag +score SARE_BOUNDARY_12 1.666 +#hist SARE_BOUNDARY_12 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_12 60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_12 288s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_12 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_12 41s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_BOUNDARY_12 45s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_12 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_12 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_13 Content-Type =~ /boundary=\"Java\.[A-Z]{5}\.\d{10,30}"/ # no /i +score SARE_BOUNDARY_13 1.666 +describe SARE_BOUNDARY_13 Possible spam flag +#hist SARE_BOUNDARY_13 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_13 29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_13 614s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_13 61s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_13 86s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_BOUNDARY_13 133s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_13 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_13 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_D9 Content-Type =~ /boundary="\d{9}"/ +describe SARE_BOUNDARY_D9 Content type boundary used in spam or virus +score SARE_BOUNDARY_D9 1.111 +#stype SARE_BOUNDARY_D9 spamp +#hist SARE_BOUNDARY_D9 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D9 76s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_D9 80s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_BOUNDARY_D9 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_D9 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_D9 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_D11 Content-Type =~ /boundary="\d{11}"/ +describe SARE_BOUNDARY_D11 Content type boundary used in spam or virus +score SARE_BOUNDARY_D11 1.666 +#stype SARE_BOUNDARY_D11 spamp +#hist SARE_BOUNDARY_D11 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D11 112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D11 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_D11 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_BOUNDARY_D11 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D11 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_BOUNDARY_D12 Content-Type =~ /boundary="\d{12,}"/ +meta SARE_BOUNDARY_D12 __SARE_BOUNDARY_D12 && !MIME_BOUND_DIGITS_15 +describe SARE_BOUNDARY_D12 Content type boundary used in spam or virus +score SARE_BOUNDARY_D12 1.666 +#stype SARE_BOUNDARY_D12 spamp +#hist SARE_BOUNDARY_D12 Created by Bob Menschel May 31 2004 +#V300 SARE_BOUNDARY_D12 Converted to meta to avoid double-scoring new SA 3.0 MIME_BOUND_DIGITS_15 rule +#counts SARE_BOUNDARY_D12 412s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D12 188s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_D12 238s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_BOUNDARY_D12 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_D12 32s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_BOUNDARY_D12 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_D12 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#alone SARE_BOUNDARY_D12 701s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 + +header SARE_BOUNDARY_ANYDIG Content-Type =~ /boundary="--.*\[\d\]/i +describe SARE_BOUNDARY_ANYDIG Content type boundary used in spam and viruses +score SARE_BOUNDARY_ANYDIG 1.666 +#hist SARE_BOUNDARY_ANYDIG Created by Bob Menschel May 7 2005, suggested by Alex Broens +#counts SARE_BOUNDARY_ANYDIG 143s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_BOUNDARY_ANYDIG 282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_BOUNDARY_ANYDIG 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_ANYDIG 85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_BOUNDARY_ANYDIG 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_BOUNDARY_QZSOFT content-type =~ /boundary="qzsoft_directmail_seperator"/ +describe SARE_BOUNDARY_QZSOFT Identifies spam from specific spamware +score SARE_BOUNDARY_QZSOFT 1.666 +#hist SARE_BOUNDARY_QZSOFT Loren Wilton, LW_DIRECTMAIL, Sep 5 2004 +#counts SARE_BOUNDARY_QZSOFT 347s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_QZSOFT 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_QZSOFT 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_QZSOFT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_BOUNDARY_QZSOFT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_QZSOFT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header __AOL_FROM From:addr =~ /\@(?:aol|cs)\.com$/i +header __SARE_FROM_GOODAOL From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i +describe __SARE_FROM_GOODAOL Partial Rule: Marks Bad AOL Addresses +meta SARE_FROM_BADAOL __AOL_FROM && !__SARE_FROM_GOODAOL +describe SARE_FROM_BADAOL From an Invalid AOL Email Address +score SARE_FROM_BADAOL 1.666 +#hist SARE_FROM_BADAOL KAM.COMBO_BADAOL Originally submitted by from Kevin A. McGrail +#hist SARE_FROM_BADAOL Rule based on Kelson Vibber's MD code for bogus AOL Addresses +#hist SARE_FROM_BADAOL Check for bogus AOL addresses as described at +#hist SARE_FROM_BADAOL http://postmaster.aol.com/faq/mailerfaq.html#syntax +#hist SARE_FROM_BADAOL Rule for good addresses: all alphanumeric, starting with a letter, from 3 to 16 characters long. +#note SARE_FROM_BADAOL __AOL_FROM is SA Distrib rule +#counts SARE_FROM_BADAOL 226s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FROM_BADAOL 359s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_FROM_BADAOL 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_BADAOL 51s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_BADAOL 1s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#max SARE_FROM_BADAOL 10s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_BADAOL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_BADAOL 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FROM_DRUGS From =~ /\b(?:cialis|levitra|phentermine|valium|viagra|vicodin|xanax)\b/i +describe SARE_FROM_DRUGS From a drug +score SARE_FROM_DRUGS 1.666 +#hist SARE_FROM_DRUGS Bob Menschel May 14 2005, from sample provided by Joanne Dow +#hist SARE_FROM_DRUGS Split SOMA to new SARE_FROM_DRUGS2 rule because of ham. +#counts SARE_FROM_DRUGS 243s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FROM_DRUGS 753s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_FROM_DRUGS 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FROM_DRUGS 17s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_DRUGS 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_FROM_DRUGS 72s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FROM_DRUGS 108s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_FROM_DRUGS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_FROM_HOODIA From =~ /"Hoodia/i +describe SARE_FROM_HOODIA From who do ya say? +score SARE_FROM_HOODIA 1.666 +#stype SARE_FRMO_HOODIA spamg +#hist SARE_FROM_HOODIA Loren Wilton, Sept 2005 +#counts SARE_FROM_HOODIA 45s/0h of 659759 corpus (325842s/333917h RM) 09/20/05 +#counts SARE_FROM_HOODIA 31s/0h of 56592 corpus (51660s/4932h MY) 09/22/05 +#counts SARE_FROM_HOODIA 1s/0h of 10551 corpus (5780s/4771h CT) 09/18/05 + +header SARE_FROM_PAYPAL_INV From =~ /(?:admin|services|support|update|verification)\@paypal.com/i +describe SARE_FROM_PAYPAL_INV From invalid address at PayPal +score SARE_FROM_PAYPAL_INV 1.111 +#stype SARE_FROM_PAYPAL_INV spamp +#hist SARE_FROM_PAYPAL_INV Created by Bob Menschel Sep 24 2004 +#counts SARE_FROM_PAYPAL_INV 27s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FROM_PAYPAL_INV 39s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_FROM_PAYPAL_INV 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_PAYPAL_INV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_PAYPAL_INV 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_PAYPAL_INV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_NAME2 From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|funpage|koldny|propecia|thedailyfreesamples)/i +describe SARE_FROM_SPAM_NAME2 From address suggests this is spam +score SARE_FROM_SPAM_NAME2 1.666 +#stype SARE_FROM_SPAM_NAME2 spamp +#hist SARE_FROM_SPAM_NAME2 COMBINED.FROM and other sources +#counts SARE_FROM_SPAM_NAME2 140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_NAME2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_NAME2 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FROM_SPAM_NAME2 16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_WSJ From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i +score SARE_FROM_WSJ 1.666 +#hist SARE_FROM_WSJ Matt Yackley, Apr 15 2005, expanded by Bob Menschel +#counts SARE_FROM_WSJ 77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FROM_WSJ 86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_FROM_WSJ 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_WSJ 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_FROM_WSJ 258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_WSJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_COMWALL From =~ /\@walla\.com/i +describe SARE_FREE_WEBM_COMWALL Maybe spammer with free email +score SARE_FREE_WEBM_COMWALL 1.666 +#hist SARE_FREE_WEBM_COMWALL Created by Bob Menschel Sep 26 2004 +#counts SARE_FREE_WEBM_COMWALL 851s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_COMWALL 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_FREE_WEBM_COMWALL 10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FREE_WEBM_COMWALL 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_COMWALL 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_COMWALL 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_FREE_WEBM_Dora From =~ /\bdoramail\.com/i +describe SARE_FREE_WEBM_Dora Sender used free email account - may be spammer +score SARE_FREE_WEBM_Dora 1.666 +#counts SARE_FREE_WEBM_Dora 182s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Dora 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_Dora 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Dora 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FREE_WEBM_Dora 21s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_FREE_WEBM_Dora 10s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_Dora 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_Dora 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_WEBM_ERESMAS From =~ /eresmas\.com/i +describe SARE_FROM_WEBM_ERESMAS Probable spammer +score SARE_FROM_WEBM_ERESMAS 1.666 +#hist SARE_FROM_WEBM_ERESMAS Bob Menschel May 14 2005 +#counts SARE_FROM_WEBM_ERESMAS 113s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FROM_WEBM_ERESMAS 619s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_FROM_WEBM_ERESMAS 13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_WEBM_ERESMAS 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_FROM_WEBM_ERESMAS 26s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_WEBM_ERESMAS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_FREE_WEBM_EsTerra From =~ /\bterra\.es/i +describe SARE_FREE_WEBM_EsTerra Sender used free email account - may be spammer +score SARE_FREE_WEBM_EsTerra 1.666 +#counts SARE_FREE_WEBM_EsTerra 142s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FREE_WEBM_EsTerra 228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_FREE_WEBM_EsTerra 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_EsTerra 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_EsTerra 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_EsTerra 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_Kero From =~ /\bKeromail\.com/i +describe SARE_FREE_WEBM_Kero Sender used free email account - may be spammer +score SARE_FREE_WEBM_Kero 0.950 +#counts SARE_FREE_WEBM_Kero 29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FREE_WEBM_Kero 46s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_FREE_WEBM_Kero 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FREE_WEBM_Kero 12s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_Kero 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_Kero 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_Kero 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_LATINML From =~ /\@latinmail\.com/i +describe SARE_FREE_WEBM_LATINML Maybe spammer with free email +score SARE_FREE_WEBM_LATINML 1.666 +#hist SARE_FREE_WEBM_LATINML Created by Bob Menschel Sep 28 2004 +#counts SARE_FREE_WEBM_LATINML 124s/1h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FREE_WEBM_LATINML 296s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_FREE_WEBM_LATINML 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_LATINML 19s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_LATINML 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FREE_WEBM_LATINML 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_LATINML 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_LATINML 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_OwnEm1 From =~ /\@(?:ownemail|akkadian|alarmists|armymail|arsed|astromail|barefooted|bellybuster|bemused|bigisbeautiful|bigisbetter|bigsecret|blag|blahdeblah|blowitup|boardmaster|bobbles|boster|brutes|buttonpushers|chalky|changeplace|charlies|chasing|cherrycola|chewies|chocolatejunkies|clubfever|codemaster|creaky|crumbly|currymonster|cutemail|darkcorner|darkplace|daydreamer|deepdesire|desilver|diddled|djsuperstars|doleoffice|dotters|downboy|ducktail|elitists|emergencymail)\.com/i +describe SARE_FREE_WEBM_OwnEm1 Sender used free email account - may be spammer +#describ SARE_FREE_WEBM_OwnEm1 These are all aliases of the OwnEmail.Com service, from which we get spam. +score SARE_FREE_WEBM_OwnEm1 1.666 +#note SARE_FREE_WEBM_OwnEm1 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match. +#counts SARE_FREE_WEBM_OwnEm1 11s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FREE_WEBM_OwnEm1 159s/0h of 115937 corpus (94614s/21323h) 04/29/04 +#counts SARE_FREE_WEBM_OwnEm1 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_OwnEm1 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_OwnEm1 31s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_OwnEm1 35s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_OwnEm1 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_OwnEm1 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_OwnEm1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_OwnEm2 From =~ /\@(?:fairyqueen|fantasyforce|fastbowler|firelord|fynns|gameaddict|gobby|hothatches|kickedout|kred|lemonmail|liquidlunch|lovesecrets|luckster|lucys|madder|makethebreak|manmachine|mippy|misssporty|mistersporty|mrlottery|mrsporty|nagging|naseem|nicked|ownplace|pammy|poppet|qualitymail|r-a-v-e|raddled|ribber|shearer|slouching|spoofer|stalkers|sthelens|stubby|sunstertacomail|taureans|tenderkiss|thearchway|thebrewer|thecutest|thelostworld|tiggy|tizzi|tosser|trilby)\.com/i +describe SARE_FREE_WEBM_OwnEm2 Sender used free email account - may be spammer +score SARE_FREE_WEBM_OwnEm2 1.666 +#note SARE_FREE_WEBM_OWNEm2 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match. +#counts SARE_FREE_WEBM_OwnEm2 12s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_FREE_WEBM_OwnEm2 153s/0h of 115937 corpus (94614s/21323h) 04/29/04 +#counts SARE_FREE_WEBM_OwnEm2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_OwnEm2 8s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_OwnEm2 35s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FREE_WEBM_OwnEm2 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_OwnEm2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FREE_WEBM_Uymail From =~ /\buymail\.com/i +describe SARE_FREE_WEBM_Uymail Sender used free email account - may be spammer +score SARE_FREE_WEBM_Uymail 1.228 +#counts SARE_FREE_WEBM_Uymail 22s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_FREE_WEBM_Uymail 103s/0h of 125163 corpus (104972s/20191h) 03/28/04 +#counts SARE_FREE_WEBM_Uymail 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_FREE_WEBM_Uymail 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#max SARE_FREE_WEBM_Uymail 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_Uymail 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_Uymail 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_Zwallet From =~ /\bzwallet\.com/i +describe SARE_FREE_WEBM_Zwallet Sender used free email account - may be spammer +score SARE_FREE_WEBM_Zwallet 1.666 +#counts SARE_FREE_WEBM_Zwallet 241s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Zwallet 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_Zwallet 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Zwallet 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FREE_WEBM_Zwallet 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_Zwallet 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_1Z1Z MESSAGEID =~ /<1z.+\@1z/ +describe SARE_MSGID_1Z1Z Message-ID has ratware pattern (1zXXXX@1z) +score SARE_MSGID_1Z1Z 2.222 +#counts SARE_MSGID_1Z1Z 978s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MSGID_1Z1Z 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_1Z1Z 94s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_1Z1Z 527s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_MSGID_1Z1Z 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_1Z1Z 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_HEX30 MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/ +describe SARE_MSGID_HEX30 Message-ID has ratware pattern (HEXHEXHEX$9x9@) +score SARE_MSGID_HEX30 1.666 +#counts SARE_MSGID_HEX30 18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_MSGID_HEX30 235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_MSGID_HEX30 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_MSGID_HEX30 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_HEX30 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_MAILUSER Received =~ /helo=MailUser\)/i +describe SARE_HELO_MAILUSER Received header has possible spamsign +score SARE_HELO_MAILUSER 1.111 +#stype SARE_HELO_MAILUSER spamp +#hist SARE_HELO_MAILUSER Created by Bob Menschel May 31 2004 +#counts SARE_HELO_MAILUSER 7s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HELO_MAILUSER 12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_HELO_MAILUSER 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HELO_MAILUSER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_MAILUSER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_MAILUSER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i +describe SARE_RECV_LOCALHOST fingerprint +score SARE_RECV_LOCALHOST 1.111 +#stype SARE_RECV_LOCALHOST spamp +#hist SARE_RECV_LOCALHOST Alex Broens, June 2005 +#counts SARE_RECV_LOCALHOST 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_LOCALHOST 77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_RECV_LOCALHOST 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_LOCALHOST 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_SUSP_2 Received =~ /from\s+[A-Z0-9]+\s+\(\[10\.2\.202\.25\]\)\s+by\s+[A-Z0-9]+\.[a-z]+/ +describe SARE_RECV_SUSP_2 Spammer sign in headers +score SARE_RECV_SUSP_2 1.666 +#hist SARE_RECV_SUSP_2 LW_RATWARE1 +#counts SARE_RECV_SUSP_2 31s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_SUSP_2 69s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_SUSP_2 31s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SUSP_2 124s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_SUSP_2 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_SUSP_2 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SUSP_2 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_SUSP_2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_TRADVALUES Received =~ /\btraditionalvalues\.org/i +describe SARE_RECV_TRADVALUES From or passed through spammer/unreliable domain +score SARE_RECV_TRADVALUES 3.333 +#stype SARE_RECV_TRADVALUES spamgg +#hist SARE_RECV_TRADVALUES RM_hr_tradvalues +#counts SARE_RECV_TRADVALUES 79s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_TRADVALUES 97s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_RECV_TRADVALUES 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_RECV_TRADVALUES 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 +#counts SARE_RECV_TRADVALUES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_TRADVALUES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_VIPLIST Received =~ /\b(?:viplist\.us|\[216.74.127.234\])/ +describe SARE_RECV_VIPLIST Email comes from known spammer system +score SARE_RECV_VIPLIST 4.000 +#stype SARE_RECV_VIPLIST spamggg +#hist SARE_RECV_VIPLIST Created by Bob Menschel Sep 29 2004 +#counts SARE_RECV_VIPLIST 46s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_VIPLIST 255s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_VIPLIST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_VIPLIST 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_VIPLIST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_VIPLIST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_XACTRIX Received =~ /\b(?:accutra|xactrix)\.com/i +describe SARE_RECV_XACTRIX From/through probable spammer system +score SARE_RECV_XACTRIX 2.500 +#stype SARE_RECV_XACTRIX spamg +#hist SARE_RECV_XACTRIX Created by Bob Menschel Sep 03 2004 +#counts SARE_RECV_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_RECV_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_XACTRIX 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +header SARE_RECV_IP_004078 Received =~ /\[4\.78\.193\.\d{1,3}\]/ +describe SARE_RECV_IP_004078 Spam passed through possible spammer relay +score SARE_RECV_IP_004078 1.666 +#hist SARE_RECV_IP_004078 Created by Bob Menschel Feb 5 2005 from Spam-L information +#note SARE_RECV_IP_004078 CWIE, LLC +#counts SARE_RECV_IP_004078 0s/0h of 95095 corpus (59680s/35415h RM) 02/05/05 +#counts SARE_RECV_IP_004078 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_004078 347s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_004078 397s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_004078 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_004078 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_038112147 Received =~ /\[38\.112\.147\.\d{1,3}\]/ +describe SARE_RECV_IP_038112147 Spam passed through possible spammer relay +score SARE_RECV_IP_038112147 1.111 +#stype SARE_RECV_IP_038112147 spamp +#hist SARE_RECV_IP_038112147 Created by Bob Menschel, Feb 19 2005, from Spam-L posting +#counts SARE_RECV_IP_038112147 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_IP_038112147 66s/0h of 283497 corpus (129933s/153564h RM) 03/08/05 +#counts SARE_RECV_IP_038112147 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_038112147 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_RECV_IP_038112147 3s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_038112147 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_038112147 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061052 Received =~ /\[61\.5[2-4]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061052 Spam passed through possible spammer relay +score SARE_RECV_IP_061052 1.666 +#stype SARE_RECV_IP_061052 spamp +#hist SARE_RECV_IP_061052 Created by Bob Menschel May 10 2004 +#counts SARE_RECV_IP_061052 410s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061052 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061052 25s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_061052 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_RECV_IP_061052 15s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_061052 18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_061052 19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_061052 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061172 Received =~ /\[61\.17[23]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061172 Spam passed through possible spammer relay +score SARE_RECV_IP_061172 1.666 +#stype SARE_RECV_IP_061172 spamp +#counts SARE_RECV_IP_061172 206s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_061172 305s/0h of 119325 corpus (98981s/20344h) 03/22/04 +#counts SARE_RECV_IP_061172 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061172 27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_061172 276s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061172 45s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_061172 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +header SARE_RECV_IP_063106130 Received =~ /\[63\.106\.130\.\d{1,3}\]/ +describe SARE_RECV_IP_063106130 Spam passed through possible spammer relay +score SARE_RECV_IP_063106130 1.111 +#stype SARE_RECV_IP_063106130 spamp +#hist SARE_RECV_IP_063106130 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_063106130 Data Depot LLC +#counts SARE_RECV_IP_063106130 5s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_RECV_IP_063106130 15s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_063106130 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_063106130 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_063106130 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_063106130 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_064069032 Received =~ /\[64\.69\.32\.\d{1,3}\]/ +describe SARE_RECV_IP_064069032 Spam passed through possible spammer relay +score SARE_RECV_IP_064069032 1.111 +#stype SARE_RECV_IP_064069032 spamp +#hist SARE_RECV_IP_064069032 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_064069032 13s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_064069032 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_064069032 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_064192082 received =~ /\[64\.192\.8[23]\.\d{1,3}\]/ +describe SARE_RECV_IP_064192082 Spam passed through possible spammer relay +score SARE_RECV_IP_064192082 1.111 +#stype SARE_RECV_IP_064192082 spamp +#hist SARE_RECV_IP_064192082 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L +#counts SARE_RECV_IP_064192082 0s/0h of 98352 corpus (59690s/38662h RM) 01/29/05 +#counts SARE_RECV_IP_064192082 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_064192082 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_064192082 39s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_064192082 0s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_064192082 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_066059094 Received =~ /\[66\.59\.94\.\d{1,3}\]/ +describe SARE_RECV_IP_066059094 Spam passed through possible spammer relay +score SARE_RECV_IP_066059094 2.333 +#hist SARE_RECV_IP_066059094 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_066059094 2505s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066059094 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_066059094 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_066063 Received =~ /\[66\.63\.178\.\d{1,3}\]/ +describe SARE_RECV_IP_066063 Passed through possible spammer relay or source +score SARE_RECV_IP_066063 1.111 +#stype SARE_RECV_IP_066063 spamp +#hist SARE_RECV_IP_066063 Created by Bob Menschel Feb 10 2005 from Spam-L info +#counts SARE_RECV_IP_066063 0s/0h of 118836 corpus (71083s/47753h RM) 02/10/05 +#counts SARE_RECV_IP_066063 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_RECV_IP_066063 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066063 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066063 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_066114a Received =~ /\[66\.114\.217\.\d{1,3}\]/ +describe SARE_RECV_IP_066114a Spam passed through possible spammer relay +score SARE_RECV_IP_066114a 1.111 +#stype SARE_RECV_IP_066114a spamp +#hist SARE_RECV_IP_066114a Created by Bob Menschel Feb 5 2005 from Spam-L info +#note SARE_RECV_IP_066114a SW FLA Hosting +#counts SARE_RECV_IP_066114a 0s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#max SARE_RECV_IP_066114a 27s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_IP_066114a 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_066114a 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066114a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066114a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_066159017 Received =~ /\[66\.159\.17\.8[4-7]\]/ +describe SARE_RECV_IP_066159017 Spam passed through possible spammer relay +score SARE_RECV_IP_066159017 1.666 +#hist SARE_RECV_IP_066159017 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_066159017 219s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066159017 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_066159017 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_069060122 Received =~ /\[69\.60\.122\.\d{1,3}\]/ +describe SARE_RECV_IP_069060122 Spam passed through possible spammer relay +score SARE_RECV_IP_069060122 1.111 +#stype SARE_RECV_IP_069060122 spamp +#hist SARE_RECV_IP_069060122 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_069060122 28s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_069060122 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_069060122 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_070096177 Received =~ /\[70\.96\.177\.\d{1,3}\]/ +describe SARE_RECV_IP_070096177 Spam passed through possible spammer relay +score SARE_RECV_IP_070096177 1.666 +#stype SARE_RECV_IP_070096177 spamp +#hist SARE_RECV_IP_070096177 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_070096177 Broadlogix +#counts SARE_RECV_IP_070096177 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_IP_070096177 78s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_RECV_IP_070096177 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_070096177 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_070096177 48s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_RECV_IP_071004200 Received =~ /\[71\.4\.2\d\d\.\d{1,3}\]/ +describe SARE_RECV_IP_071004200 Spam passed through possible spammer relay +score SARE_RECV_IP_071004200 1.666 +#stype SARE_RECV_IP_071004200 spamp +#hist SARE_RECV_IP_071004200 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_071004200 17s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_071004200 51s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_RECV_IP_071004200 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_071004200 298s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_071004200 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_IP_072034096 Received =~ /\[72\.34\.(?:9[6-9]|1(?:0\d|1[01]))\.\d{1,3}\]/ +describe SARE_RECV_IP_072034096 Spam passed through possible spammer relay +score SARE_RECV_IP_072034096 1.666 +#stype SARE_RECV_IP_072034096 spamp +#hist SARE_RECV_IP_072034096 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_072034096 Race Technologies +#counts SARE_RECV_IP_072034096 4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_072034096 255s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_072034096 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_072034096 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_072034096 4s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_204010039 Received =~ /\[204\.10\.39\.(?:3[2-9]|[45]\d|6[0-3])\]/ +describe SARE_RECV_IP_204010039 Spam passed through possible spammer relay +score SARE_RECV_IP_204010039 1.111 +#stype SARE_RECV_IP_204010039 spamp +#hist SARE_RECV_IP_204010039 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_204010039 Strategic Impact Concepts +#counts SARE_RECV_IP_204010039 34s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_204010039 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_204010039 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_206081080 received =~ /\[206\.81\.(?:8\d|9[0-5])\.\d{1,3}\]/ +describe SARE_RECV_IP_206081080 Spam passed through possible spammer relay +score SARE_RECV_IP_206081080 1.666 +#stype SARE_RECV_IP_206081080 spamp +#hist SARE_RECV_IP_206081080 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L +#counts SARE_RECV_IP_206081080 4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_206081080 32s/0h of 283497 corpus (129933s/153564h RM) 03/08/05 +#counts SARE_RECV_IP_206081080 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_206081080 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_206081080 80s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_206081080 152s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_206081080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_206081080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_207182 Received =~ /\[207\.182\.146\.(?:19[2-9]|2\d{2})\]/ +describe SARE_RECV_IP_207182 Passed through possible spammer relay or source +score SARE_RECV_IP_207182 1.666 +#stype SARE_RECV_IP_207182 spamp +#hist SARE_RECV_IP_207182 Created by Bob Menschel Feb 10 2005 from Spam-L info +#counts SARE_RECV_IP_207182 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_IP_207182 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_207182 71s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_207182 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_207182 57s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_207182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_207182 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_208048182 Received =~ /\[208.48\.182\.\d{1,3}\]/ +describe SARE_RECV_IP_208048182 Spam passed through possible spammer relay +score SARE_RECV_IP_208048182 1.111 +#stype SARE_RECV_IP_208048182 spamp +#hist SARE_RECV_IP_208048182 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_208048182 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_RECV_IP_208048182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_208048182 36s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_208048182 43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_208053011 Received =~ /\[208\.53\.11\.\d{1,3}\]/ +describe SARE_RECV_IP_208053011 Spam passed through possible spammer relay +score SARE_RECV_IP_208053011 1.666 +#stype SARE_RECV_IP_208053011 spamp +#hist SARE_RECV_IP_208053011 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_208053011 Advanced Dedicated Database Servers LLC +#counts SARE_RECV_IP_208053011 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_IP_208053011 5s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_RECV_IP_208053011 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_208053011 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_216055133 Received =~ /\[216\.55\.133\.\d{1,3}\]/ +describe SARE_RECV_IP_216055133 Spam passed through possible spammer relay +score SARE_RECV_IP_216055133 1.111 +#stype SARE_RECV_IP_216055133 spamp +#hist SARE_RECV_IP_216055133 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_216055133 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_RECV_IP_216055133 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_216055133 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_216055133 15s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_218011 Received =~ /\[218\.1[12]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218011 Spam passed through Chinese CNCGROUP-HE system +score SARE_RECV_IP_218011 1.666 +#stype SARE_RECV_IP_218011 spamp +#counts SARE_RECV_IP_218011 60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_218011 149s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_RECV_IP_218011 22s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218011 6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_218011 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_218011 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218011 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_218062 Received =~ /\[218\.6[23]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218062 Passed through possible spammer relay or source +score SARE_RECV_IP_218062 1.111 +#stype SARE_RECV_IP_218062 spamp +#hist SARE_RECV_IP_218062 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_218062 55s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218062 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218062 5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_218062 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_218062 5s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218062 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_218071 Received =~ /\[218\.71\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218071 Spam passed through possible spammer relay +score SARE_RECV_IP_218071 1.666 +#hist SARE_RECV_IP_218071 Created by Bob Menschel Apr 04 2004 +#counts SARE_RECV_IP_218071 160s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_RECV_IP_218071 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218071 126s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_218071 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_RECV_IP_218071 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218071 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_218085 Received =~ /\[218\.8[56]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218085 Passed through possible spammer relay or source +score SARE_RECV_IP_218085 1.666 +#stype SARE_RECV_IP_218085 spamp +#hist SARE_RECV_IP_218085 Created by Bob Menschel Aug 23 2004 +#counts SARE_RECV_IP_218085 122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218085 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218085 17s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_218085 51s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_218085 51s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_218085 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_218085 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218085 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_219159 Received =~ /\[219\.159\.(?:6[4-9]|[7-9]\d|\d{3})\.\d{1,3}\]/ +describe SARE_RECV_IP_219159 Spam passed through possible spammer relay +score SARE_RECV_IP_219159 1.111 +#stype SARE_RECV_IP_219159 spamp +#hist SARE_RECV_IP_219159 Created by Bob Menschel Apr 28 2004 +#counts SARE_RECV_IP_219159 52s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219159 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_219159 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_219159 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_219159 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_219159 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_219159 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_219248 Received =~ /\[219\.248\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_219248 Passed through possible spammer relay or source +score SARE_RECV_IP_219248 1.666 +#hist SARE_RECV_IP_219248 Created by Bob Menschel Dec 09 2004 +#note SARE_RECV_IP_219248 Korea Network Information Center +#counts SARE_RECV_IP_219248 325s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219248 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_219248 11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_219248 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_219248 19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_219248 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_220168 Received =~ /\[220\.1(?:6[89]|70)\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_220168 Passed through possible spammer relay or source +score SARE_RECV_IP_220168 1.666 +#note SARE_RECV_IP_220168 ChinaNet, Hunan Province +#hist SARE_RECV_IP_220168 Created by Bob Menschel Nov 13 2004 +#counts SARE_RECV_IP_220168 85s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_220168 104s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_IP_220168 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220168 111s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_220168 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_220168 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_220168 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_220189 Received =~ /\[220\.189\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}\]/ +describe SARE_RECV_IP_220189 Passed through possible spammer relay or source +score SARE_RECV_IP_220189 0.844 +#hist SARE_RECV_IP_220189 Created by Bob Menschel May 1 2004 +#counts SARE_RECV_IP_220189 28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_220189 28s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_IP_220189 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220189 18s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#max SARE_RECV_IP_220189 18s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_220189 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_220189 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_221000 Received =~ /\[221\.[0-3]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_221000 Passed through possible spammer relay or source +score SARE_RECV_IP_221000 1.433 +#hist SARE_RECV_IP_221000 Created by Bob Menschel Jul 24 2004 +#counts SARE_RECV_IP_221000 117s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_221000 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_221000 24s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_221000 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_221000 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_221000 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_222032 Received =~ /\[222\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222032 Spam passed through possible spammer relay +score SARE_RECV_IP_222032 2.222 +#stype SARE_RECV_IP_222032 spamp +#note SARE_RECV_IP_222032 China Railway Telecommunications Center , Beijing +#hist SARE_RECV_IP_222032 Created by Bob Menschel Feb 24 2005 +#counts SARE_RECV_IP_222032 1699s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222032 70s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_222032 89s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_222032 38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_222032 103s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222032 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE Reply-To Header Rules +######## ###################### ################################################## + +header SARE_REPLY_XACTRIX Reply-To =~ /\b(?:accutra|xactrix)\.com/i +describe SARE_REPLY_XACTRIX Reply-To email addr to spammer +score SARE_REPLY_XACTRIX 1.666 +#stype SARE_REPLY_XACTRIX spamg +#hist SARE_REPLY_XACTRIX Created by Bob Menschel Sep 03 2004 +#counts SARE_REPLY_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_REPLY_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_REPLY_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_REPLY_XACTRIX 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_REPLY_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_REPLY_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_REPLY_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE To/Cc Destination rules +######## ###################### ################################################## + +header __SARE_TOCC_MULT_BIGFT5 ToCc =~ /(?:\@bigfoot.com\b.*){5}/i +meta SARE_TOCC_MULT_BIGFT5 __SARE_TOCC_MULT_BIGFT5 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 || SARE_TOCC_MULT_BIGFT6 ) +describe SARE_TOCC_MULT_BIGFT5 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT5 1.666 +#hist SARE_TOCC_MULT_BIGFT5 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT5 42s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_TOCC_MULT_BIGFT5 271s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_TOCC_MULT_BIGFT6 ToCc =~ /(?:\@bigfoot.com\b.*){6}/i +meta SARE_TOCC_MULT_BIGFT6 __SARE_TOCC_MULT_BIGFT6 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 ) +describe SARE_TOCC_MULT_BIGFT6 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT6 1.666 +#hist SARE_TOCC_MULT_BIGFT6 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT6 21s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_TOCC_MULT_BIGFT6 396s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_TOCC_MULT_BIGFT7 ToCc =~ /(?:\@bigfoot.com\b.*){7}/i +meta SARE_TOCC_MULT_BIGFT7 __SARE_TOCC_MULT_BIGFT7 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 ) +describe SARE_TOCC_MULT_BIGFT7 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT7 1.122 +#hist SARE_TOCC_MULT_BIGFT7 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT7 34s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_TOCC_MULT_BIGFT7 102s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_TOCC_MULT_BIGFT8 ToCc =~ /(?:\@bigfoot.com\b.*){8}/i +meta SARE_TOCC_MULT_BIGFT8 __SARE_TOCC_MULT_BIGFT8 && !( SARE_TOCC_MULT_BIGFT9 ) +describe SARE_TOCC_MULT_BIGFT8 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT8 1.172 +#stype SARE_TOCC_MULT_BIGFT8 fixed +#hist SARE_TOCC_MULT_BIGFT8 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT8 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_TOCC_MULT_BIGFT8 111s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_TOCC_MULT_BIGFT9 ToCc =~ /(?:\@bigfoot.com\b.*){9}/i +describe SARE_TOCC_MULT_BIGFT9 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT9 1.666 +#hist SARE_TOCC_MULT_BIGFT9 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT9 125s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_TOCC_MULT_BIGFT9 283s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE User-Agent rules +######## ###################### ################################################## + +header SARE_USERAG_2 User-Agent =~ /eGroups Message Poster/ +describe SARE_USERAG_2 Strange user-agent header implying spam +score SARE_USERAG_2 3.333 +#stype SARE_USERAG_2 spamgg +#counts SARE_USERAG_2 35s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_USERAG_2 57s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_USERAG_2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_USERAG_2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_USERAG_2 2s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_USERAG_2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_USERAG_2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_USERAG_2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_USERAG_3 User-Agent =~ /8.0 for Windows sub 6014/i +describe SARE_USERAG_3 Strange user-agent header implying spam +score SARE_USERAG_3 3.333 +#stype SARE_USERAG_3 spamgg +#hist SARE_USERAG_3 Created by Bob Menschel Apr 28 2004 +#counts SARE_USERAG_3 28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_USERAG_3 40s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_USERAG_3 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_USERAG_3 9s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_USERAG_3 2s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_USERAG_3 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_USERAG_3 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_USERAG_3 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_USERAG_3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_USERAG_BAT User-Agent =~ /^The Bat!/ +describe SARE_USERAG_BAT Spamware pretending to be 'The Bat!' +score SARE_USERAG_BAT 2.222 +#stype SARE_USERAG_BAT spamg +#hist SARE_USERAG_BAT Tim Jackson, May 12 2005 +#counts SARE_USERAG_BAT 94s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_USERAG_BAT 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_USERAG_BAT 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_USERAG_BAT 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_USERAG_BAT 15s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_USERAG_BAT 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_USERAG_BAT 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_USERAG_SPAM0 User-Agent =~ /(?:Foxmail|VXmailer|Mail Bomber|Rodriquezmail|LMAIL|MOMENTUM)/ +describe SARE_USERAG_SPAM0 Was sent by a SPAM User Agent +score SARE_USERAG_SPAM0 1.666 +#hist SARE_USERAG_SPAM0 SARE_TM2_RW_UA +#counts SARE_USERAG_SPAM0 159s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_USERAG_SPAM0 175s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_USERAG_SPAM0 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_USERAG_SPAM0 29s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_USERAG_SPAM0 5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_USERAG_SPAM0 19s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_USERAG_SPAM0 15s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_USERAG_SPAM0 3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_DIRUNIV X-Mailer =~ /Direct Universe/i +describe SARE_XMAIL_DIRUNIV Apparently uses spam/bulk mailer +score SARE_XMAIL_DIRUNIV 1.111 +#stype SARE_XMAIL_DIRUNIV spamp +#hist SARE_XMAIL_DIRUNIV Bob Menschel, May 14 2005 +#counts SARE_XMAIL_DIRUNIV 36s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_XMAIL_DIRUNIV 48s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_XMAIL_DIRUNIV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_DIRUNIV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_XMAIL_DIRUNIV 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_XMAIL_DIRUNIV 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_XMAIL_DYNAMAILER X-Mailer =~ /Dynamailer/ +describe SARE_XMAIL_DYNAMAILER Bulk email fingerprint (DynaMailer) found +score SARE_XMAIL_DYNAMAILER 1.111 +#stype SARE_XMAIL_DYNAMAILER spamp +#hist SARE_XMAIL_DYNAMAILER Suggested via SA Dev mailing list bug 4127, Feb 9 2005 +#counts SARE_XMAIL_DYNAMAILER 14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_XMAIL_DYNAMAILER 1s/0h of 682 corpus (290s/392h CRF) 02/16/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_XMAIL_FNORD X-Mailer =~ m'KYX CP/M FNORD 5602' +describe SARE_XMAIL_FNORD Recognized spam sign in xmail header +score SARE_XMAIL_FNORD 1.666 +#hist SARE_XMAIL_FNORD Loren Wilton, Jul 23 2005 +#counts SARE_XMAIL_FNORD 527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_FNORD 34s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_XMAIL_FNORD 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_XMAIL_INTERMED X-Mailer =~ /\bIntermedia mail\b/i +describe SARE_XMAIL_INTERMED possible spamware +score SARE_XMAIL_INTERMED 0.850 +#hist SARE_XMAIL_INTERMED Alex Broens, June 30 2005 +#counts SARE_XMAIL_INTERMED 51s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_INTERMED 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_XMAIL_INTERMED 1s/0h of 6905 corpus (1401s/5504h ft) 07/24/05 + +header SARE_XMAIL_LEO X-Mailer =~ /^[A-Z][a-x]+\s[a-z]{2}\s\d\.\d\d\s*$/ # no /i +score SARE_XMAIL_LEO 2.333 +describe SARE_XMAIL_LEO Spamsign in x-mailer header +#hist SARE_XMAIL_LEO Loren Wilton, Sept 07, 2005 +#counts SARE_XMAIL_LEO 2625s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_LEO 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_XMAIL_LEO 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_XMAIL_PHPBulkEmai X-Mailer =~ /PHPBulkEmailer/i +describe SARE_XMAIL_PHPBulkEmai Apparently uses spam/bulk mailer +score SARE_XMAIL_PHPBulkEmai 1.111 +#stype SARE_XMAIL_PHPBulkEmai spamp +#hist SARE_XMAIL_PHPBulkEmai Bob Menschel, Apr 11, 2005, from suggestion by Loren Wilton +#counts SARE_XMAIL_PHPBulkEmai 14s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_XMAIL_PHPBulkEmai 45s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_XMAIL_PHPBulkEmai 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_PHPBulkEmai 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_XMAIL_PHPBulkEmai 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_XMAIL_PHPBulkEmai 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_XMAIL_RANDMAILER X-Mailer =~ /^([a-z]{4,12} ){1,3}$/ +describe SARE_XMAIL_RANDMAILER only 1-3 lowercase words in X-mailer field +score SARE_XMAIL_RANDMAILER 2.222 +#hist SARE_XMAIL_RANDMAILER from Pierre Thomson +#counts SARE_XMAIL_RANDMAILER 413s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_RANDMAILER 103s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_XMAIL_RANDMAILER 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_RANDMAILER 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_RANDMAILER 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_XMAIL_RANDMAILER 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_XMAIL_RANDMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_XMAIL_TTBOARD X-Mailer =~ /TTBOARD/i +describe SARE_XMAIL_TTBOARD X-Mailer used by spammer +score SARE_XMAIL_TTBOARD 1.666 +#stype SARE_XMAIL_TTBOARD spamp +#hist SARE_XMAIL_TTBOARD Created by Bob Menschel Jan 14 2005, based on info from Joel Rubin via Spam-L +#counts SARE_XMAIL_TTBOARD 15s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_XMAIL_TTBOARD 230s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_DATE46 Date =~ /^.{46}$/ +describe SARE_HEAD_DATE46 Date header suggests this is spam +score SARE_HEAD_DATE46 1.666 +#counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_LOC_INV1 Location =~ /^[a-z]+(?:\s[a-z]+)*$/ # no /i +describe SARE_HEAD_LOC_INV1 Improper location +score SARE_HEAD_LOC_INV1 1.666 +#hist SARE_HEAD_LOC_INV1 Loren Wilton, Feb 21 2005 +#counts SARE_HEAD_LOC_INV1 130s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_LOC_INV1 24s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_LOC_INV1 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_LOC_INV1 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_LOC_INV1 127s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_LOC_INV1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __MIME_VERSION exists:MIME-Version +header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b' +meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION +describe SARE_HEAD_MIME_INVALID Invalid mime version +score SARE_HEAD_MIME_INVALID 1.666 +#stype SARE_HEAD_MIME_INVALID spamp +#hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2006, inspired by Alex Broens +#counts SARE_HEAD_MIME_INVALID 150s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_MIME_INVALID 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 + +header __SARE_HEAD_MIME_PROD MIME-Version =~ /\(produced by [a-z]+ \d\.\d\)/ +header __SARE_HEAD_MIME_PROD2 Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/ +header __SARE_HEAD_MIME_PROD3 MIME-Version =~ /1.0 \(produced by [a-z]+ \d+\.\d+\)\s*$/ +meta SARE_HEAD_MIME_PROD __SARE_HEAD_MIME_PROD || __SARE_HEAD_MIME_PROD2 || __SARE_HEAD_MIME_PROD3 +describe SARE_HEAD_MIME_PROD Ratware MIME Version +score SARE_HEAD_MIME_PROD 2.666 +#hist SARE_HEAD_MIME_PROD Originally: SARE_TM2_RW_MV +#hist SARE_HEAD_MIME_PROD Feb 26 2005: Added patterns offered by Eric Fagan and Loren Wilton +#counts SARE_HEAD_MIME_PROD 284s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_MIME_PROD 862s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_MIME_PROD 309s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_MIME_PROD 364s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HEAD_MIME_PROD 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_MIME_PROD 62s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_MIME_PROD 460s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_MIME_PROD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_THRD_ALNUM Thread-Index =~ /ALNUM/ +describe SARE_HEAD_THRD_ALNUM Spam fingerprint in thread index +score SARE_HEAD_THRD_ALNUM 0.839 +#hist SARE_HEAD_THRD_ALNUM Alex Broens, July 27 2005 +#counts SARE_HEAD_THRD_ALNUM 51s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_THRD_ALNUM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_HEAD_XMF_AUTHSNDR X-Message-flag =~ /Authentic Sender/i +describe SARE_HEAD_XMF_AUTHSNDR Headers contains spam sign +score SARE_HEAD_XMF_AUTHSNDR 1.666 +#stype SARE_HEAD_XMF_AUTHSNDR spamp +#hist SARE_HEAD_XMF_AUTHSNDR Created by Bob Menschel Jan 29 2005 from idea submitted by Alex Broens +#counts SARE_HEAD_XMF_AUTHSNDR 109s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_XMF_AUTHSNDR 726s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_XMF_AUTHSNDR 67s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_XMF_AUTHSNDR 27s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_HEAD_XMF_AUTHSNDR 54s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_XMF_AUTHSNDR 26s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_XMF_AUTHSNDR 89s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XM4 ALL =~ /\nX-M-.{4}:/ # usually 4:28:12 +describe SARE_HEAD_XM4 Contains spamsign header +score SARE_HEAD_XM4 1.111 +#stype SARE_HEAD_XM4 spamp +#hist SARE_HEAD_XM4 Loren Wilton, June 2005 +#counts SARE_HEAD_XM4 80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XM4 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_HEAD_XM4 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_HEAD_XMIMEO_MS X-MimeOLE =~ /Mircosoft MimeOLE/i +describe SARE_HEAD_XMIMEO_MS Ratware-misspelled header +score SARE_HEAD_XMIMEO_MS 1.666 +#stype SARE_HEAD_XMIMEO_MS spamg +#hist SARE_HEAD_XMIMEO_MS Idea from dfs@roaringpenguin.com, http://bugzilla.spamassassin.org/show_bug.cgi?id=3349 +#counts SARE_HEAD_XMIMEO_MS 27s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_XMIMEO_MS 36s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Rules which identify headers found in email bodies +######## ###################### ################################################## + +rawbody SARE_HEAD_BDY_BOUNCES /^Bounces_to: .{1,50}\@/ +describe SARE_HEAD_BDY_BOUNCES Message header suggesting spam in body +score SARE_HEAD_BDY_BOUNCES 1.666 +#note SARE_HEAD_BDY_BOUNCES Normally valid header currently very popular in spam. Presence in bounced emails strongly suggests bounced spam +#hist SARE_HEAD_BDY_BOUNCES Bob Menschel, Apr 10 2005 +#counts SARE_HEAD_BDY_BOUNCES 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_HEAD_BDY_BOUNCES 433s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_HEAD_BDY_BOUNCES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_BDY_BOUNCES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_BDY_BOUNCES 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header __THEBAT_MUA X-Mailer =~ /The Bat!/ +header __SARE_HEAD_WEBMAIL Message-ID =~ /<.+\@(yahoo|hotmail|cfswebmail)\.com>$/i +header __SARE_HEAD_MAIL_BAT2 User-Agent =~ /^The Bat!/ +meta SARE_HEAD_BAT_WEB __SARE_HEAD_WEBMAIL && ( __THEBAT_MUA || __SARE_HEAD_MAIL_BAT2 ) +describe SARE_HEAD_BAT_WEB Webmail message ID, but The Bat! X-Mailer +score SARE_HEAD_BAT_WEB 3.333 +#stype SARE_HEAD_BAT_WEB spamg +#hist SARE_HEAD_BAT_WEB Tim Jackson, May 11 2005 +#counts SARE_HEAD_BAT_WEB 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_BAT_WEB 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_BAT_WEB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_BAT_WEB 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header __SARE_MULT_BMASTGR1 Received =~ /for bmastgr\@/ +header __SARE_MULT_BMASTGR2 ToCc =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR3 From =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR4 Envelope-to =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR5 Subject =~ /\bbmastgr\b/ +meta SARE_MULT_BMASTGR ( __SARE_MULT_BMASTGR1 || __SARE_MULT_BMASTGR2 || __SARE_MULT_BMASTGR3 || __SARE_MULT_BMASTGR4 || __SARE_MULT_BMASTGR5 ) +describe SARE_MULT_BMASTGR Directed to/from invalid address +score SARE_MULT_BMASTGR 5.000 +#stype SARE_MULT_BMASTGR spamggg +#hist SARE_MULT_MBASTGR Missing meta dependencies fixed by Fred T, Oct 6 2005 +#counts SARE_MULT_BMASTGR 497s/0h of 487606 corpus (219627s/267979h RM) 10/07/05 +#max SARE_MULT_BMASTGR 1336s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MULT_BMASTGR 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_MULT_BMASTGR 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MULT_BMASTGR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MULT_BMASTGR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MULT_BMASTGR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MULT_FROM ALL =~ /\nFrom:.{10,150}\nFrom:.{10,150}\nFrom:/s +score SARE_MULT_FROM 0.777 +describe SARE_MULT_FROM Many from lines +#hist SARE_MULT_FROM Loren Wilton, June 2005 +#counts SARE_MULT_FROM 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_MULT_FROM 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_MULT_FROM 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_MULT_FROM 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_MULT_FROM 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_MULT_FROM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header __SARE_MULT_FROM_MRS From =~ /"Mrs[\. ][A-Z][a-z]+"/ +header __SARE_MULT_HITHERE Subject =~ /^(?:HELLO|Hello|Hey|Hi)\w{0,8},?(?:Mrs\.)?/ +body __SARE_MULT_PROFILE /(?:on-?line profile|profile (?:is )?on-?line)/ +meta SARE_MULT_SEXCLUB __SARE_MULT_HITHERE && (__SARE_MULT_PROFILE || __SARE_MULT_FROM_MRS) +describe SARE_MULT_SEXCLUB Adult invitation spam +score SARE_MULT_SEXCLUB 1.666 +#hist SARE_MULT_SEXCLUB Loren Wilton, Feb 22 2005 +#counts SARE_MULT_SEXCLUB 2s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_MULT_SEXCLUB 114s/0h of 283497 corpus (129933s/153564h RM) 03/08/05 +#counts SARE_MULT_SEXCLUB 8s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_MULT_SEXCLUB 54s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_MULT_SEXCLUB 59s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_MULT_SEXCLUB 11s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MULT_SEXCLUB 22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MULT_SEXCLUB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MULT_SUBJ ALL =~ /\nSubject:.{10,150}\nSubject:.{10,150}\nSubject:/s +score SARE_MULT_SUBJ 0.777 +describe SARE_MULT_SUBJ Many subject lines +#hist SARE_MULT_SUBJ Loren Wilton, June 2005 +#counts SARE_MULT_SUBJ 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_MULT_SUBJ 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_MULT_SUBJ 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_MULT_SUBJ 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_MULT_SUBJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_MULT_SUBJ 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +# EOF + +# SARE Header Abuse Ruleset for SpamAssassin -- file 1 +# Version: 01.03.16 +# Created: 2004-04-25 +# Modified: 2005-10-28 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.16 Oct 28 2005 +#@@# Minor score updates based on additional mass-check +#@@# Added to file 1: SARE_HEAD_HDR_XLEGAL1, 2, 3, 4 +#@@# Added to file 1: SARE_HEAD_HDR_XSIDPRA +#@@# Added to file 1: SARE_HEAD_HDR_XSIDRES +#@@# Added to file 1: SARE_RECV_IP_064034 +#@@# Added to file 1: SARE_RECV_IP_209051 +#@@# Added to file 1: SARE_RECV_IP_209190 +#@@# Added to file 1: SARE_RECV_IP_216118120 +#@@# Modified: SARE_FROM_SPAM_DOMN0: split yahoo.net to separate rule +#@@# Moved file 0 to file 1: SARE_BOUNDARY_LC +#@@# Moved file 0 to file 1: SARE_FREE_WEBM_FrVoila +#@@# Moved file 0 to file 1: SARE_FREE_WEBM_Mailexc +#@@# Moved file 0 to file 1: SARE_HEAD_HDR_XBBOUNC +#@@# Moved file 0 to file 1: SARE_HEAD_XWORD +#@@# Moved file 0 to file 1: SARE_RECV_IP_066165224 +#@@# Moved file 0 to file 1: SARE_RECV_IP_218088 +#@@# Moved file 0 to file 1: SARE_XMAIL_TOLMAIL +#@@# Moved file 1 to file 0: SARE_HEAD_XMIMEO_MS +#@@# Moved file 1 to file 0: SARE_RECV_IP_069060122 +#@@# Moved file 1 to file 0: SARE_XMAIL_DYNAMAILER +#@@# Moved file 1 to file 2: SARE_FREE_WEBM_USACOPS +#@@# Moved file 1 to file 2: SARE_HEAD_HDR_XEMGBMS +#@@# Moved file 1 to file 2: SARE_HEAD_XCANIT1 +#@@# Moved file 1 to file 2: SARE_HEAD_XCANIT2 +#@@# Moved file 1 to file 2: SARE_MSGID_SPAM_DOMN0 +#@@# Moved file 1 to file 2: SARE_MSGID_SUSP2 +#@@# Moved file 1 to file 2: SARE_RECV_IP_081019 +#@@# Moved file 1 to file 2: SARE_RECV_IP_211049 +#@@# Moved file 1 to file 2: SARE_RECV_RND_NUMBER +#@@# Moved file 1 to file 3: SARE_FROM_NONAME +#@@# Moved file 1 to file 3: SARE_FROM_SPAM_CHAR0 +#@@# Moved file 1 to file 3: SARE_HEAD_XCOM_RFCMIN +#@@# Moved file 1 to file 3: SARE_RECV_IP_080178 +#@@# Moved file 1 to file 3: SARE_XMAIL_SUSP3 +#@@# Moved file 2 to file 1: SARE_FROM_AST +#@@# Moved file 2 to file 1: SARE_HEAD_HDR_XCNDINF +#@@# Moved file 3 to file 1: SARE_FROM_SPAM_MONEY2 +#@@# Moved from file 1 to x31: SARE_MSGID_DBL_AT +#@@# Replaced __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD +#@@# Split mail2world.com from SARE_FREE_WEBM_ZCom03 + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ + +######## ###################### ################################################## +# Meta rules used to prevent --lint errors after moving/changing rules +######## ###################### ################################################## + +meta SARE_FREE_WEBM_CZSEZNA 0 +meta SARE_FROM_MULTI_DASH 0 +meta SARE_HEAD_DATE18 0 +meta SARE_MSGID_LONG40 0 +meta SARE_MSGID_LONG55 0 +meta SARE_MULT_VIA_FWCATS 0 +meta SARE_RECV_IP_064080 0 +meta SARE_RECV_ISWEST 0 +meta SARE_FROM_AMERICA 0 +meta SARE_HEAD_SUBJ_RAND 0 +meta SARE_HEAD_XORIP_IP 0 +meta SARE_MSGID_06D6 0 +meta SARE_RECV_IP_142046 0 +meta SARE_RECV_IP_212164 0 +meta SARE_BOUNDARY_MULTB 0 +meta SARE_FROM_NUM_9DIG 0 +meta SARE_FROM_PRINTER 0 +meta SARE_HEAD_8BIT_NOSPM 0 +meta SARE_HEAD_8BIT_SPAM 0 +meta SARE_HEAD_HDR_XCCDIAG 0 +meta SARE_HEAD_HDR_XMAILTH 0 +meta SARE_HEAD_HDR_XSMTPSV 0 +meta SARE_HEAD_HDR_XUMAIL 0 +meta SARE_HELO_SERVER 0 +meta SARE_MSGID_LONG35 0 +meta SARE_MSGID_LONG65 0 +meta SARE_MSGID_LONG75 0 +meta SARE_RECV_IP_066111 0 +meta SARE_RECV_SUSP_3 0 +meta SARE_XMAIL_XMAIL 0 +meta SARE_HEAD_HDR_XEMGBMS 0 +meta SARE_HEAD_XCANIT1 0 +meta SARE_HEAD_XCANIT2 0 +meta SARE_MSGID_SPAM_DOMN0 0 +meta SARE_MSGID_SUSP2 0 +meta SARE_RECV_IP_081019 0 +meta SARE_RECV_IP_211049 0 +meta SARE_RECV_RND_NUMBER 0 +meta SARE_FROM_NONAME 0 +meta SARE_FROM_SPAM_CHAR0 0 +meta SARE_HEAD_XCOM_RFCMIN 0 +meta SARE_RECV_IP_080178 0 +meta SARE_XMAIL_SUSP3 0 +meta SARE_MSGID_DBL_AT 0 +meta SARE_FREE_WEBM_USACOPS 0 + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_ALTREC exists:Alternate-Recipient +describe SARE_HEAD_HDR_ALTREC Message headers used which identify spam +score SARE_HEAD_HDR_ALTREC 0.148 +#ham SARE_HEAD_HDR_ALTREC "Alternate-recipient: prohibited", From: JOEL RHEINBERGER , UA-content-id: A266IPY323WU, A1-type: MAIL, Hop-count: 1, Received: from VAXB.abc.net.au, no indication which email client was used +#counts SARE_HEAD_HDR_ALTREC 98s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_HDR_ALTREC 324s/4h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_ALTREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_ALTREC 43s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_ALTREC 44s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_ALTREC 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_HEAD_HDR_ALTREC 21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_ALTREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_APPROV exists:Approved +describe SARE_HEAD_HDR_APPROV Message headers used which identify spam +score SARE_HEAD_HDR_APPROV 0.817 +#hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed +#counts SARE_HEAD_HDR_APPROV 21s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_APPROV 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +#todo SARE_HEAD_HDR_AUTSUBD Test both rules independently %%% +header SARE_HEAD_HDR_AUTSUBD exists:Auto-submitted +header SARE_HEAD_HDR_AUTSUBD exists:X-RMD-Text +describe SARE_HEAD_HDR_AUTSUBD Message headers used which identify spam +score SARE_HEAD_HDR_AUTSUBD 1.111 +#stype SARE_HEAD_HDR_AUTSUBD spamp +#counts SARE_HEAD_HDR_AUTSUBD 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_AUTSUBD 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients +describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam +score SARE_HEAD_HDR_DISCREC 0.739 +#ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov +#counts SARE_HEAD_HDR_DISCREC 28s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_DISCREC 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_DISCREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_MSGTYPE exists:Message-Type +describe SARE_HEAD_HDR_MSGTYPE Message headers used which identify spam +score SARE_HEAD_HDR_MSGTYPE 0.555 +#stype SARE_HEAD_HDR_MSGTYPE spamp +#counts SARE_HEAD_HDR_MSGTYPE 1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#max SARE_HEAD_HDR_MSGTYPE 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_X400RCV exists:X400-Received +describe SARE_HEAD_HDR_X400RCV Message headers used which identify spam +score SARE_HEAD_HDR_X400RCV 0.555 +#stype SARE_HEAD_HDR_X400RCV spamp +#counts SARE_HEAD_HDR_X400RCV 1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#max SARE_HEAD_HDR_X400RCV 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XBBOUNC exists:X-BBounce +describe SARE_HEAD_HDR_XBBOUNC Message headers used which identify spam +score SARE_HEAD_HDR_XBBOUNC 0.878 +#ham SARE_HEAD_HDR_XBBOUNC likely (2) +#counts SARE_HEAD_HDR_XBBOUNC 174s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCNDINF exists:X-CND-Info +describe SARE_HEAD_HDR_XCNDINF Message headers used which identify spam +score SARE_HEAD_HDR_XCNDINF 0.555 +#stype SARE_HEAD_HDR_XCNDINF spamp +#counts SARE_HEAD_HDR_XCNDINF 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XENC exists:X-ENC +describe SARE_HEAD_HDR_XENC Message headers used which identify spam +score SARE_HEAD_HDR_XENC 1.111 +#stype SARE_HEAD_HDR_XENC spamp +#hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004 +#counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 +#counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __HAS_RCVD exists:Received +header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key +meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD +header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key +describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers +score SARE_HEAD_HDR_XIDKEY 1.666 +#ham SARE_HEAD_HDR_XIDKEY verified (4) +#hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004 +#counts SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_HDR_XIDKEY 67s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HEAD_HDR_XIDKEY 3s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header __SARE_HEAD_HDR_XLEGAL exists:X-Legal +header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i +header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i +header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i +meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC +describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam +score SARE_HEAD_HDR_XLEGAL1 1.666 +#stype SARE_HEAD_HDR_XLEGAL1 spamgg +#hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +meta SARE_HEAD_HDR_XLEGAL2 ( __SARE_HEAD_HDR_XLEGAB || __SARE_HEAD_HDR_XLEGAI ) && !__SARE_HEAD_HDR_XLEGAC && !SARE_HEAD_HDR_XLEGAL1 +describe SARE_HEAD_HDR_XLEGAL2 Message headers used which identify spam +score SARE_HEAD_HDR_XLEGAL2 1.666 +#stype SARE_HEAD_HDR_XLEGAL2 spamgg +#hist SARE_HEAD_HDR_XLEGAL2 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC +describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam +score SARE_HEAD_HDR_XLEGAL3 1.666 +#stype SARE_HEAD_HDR_XLEGAL3 spamgg +#hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL3 +describe SARE_HEAD_HDR_XLEGAL4 Message headers used which might identify spam +score SARE_HEAD_HDR_XLEGAL4 0.100 +#hist SARE_HEAD_HDR_XLEGAL4 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL4 3s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL4 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL4 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_HEAD_HDR_XLISTAD exists:X-LISTADDRESS +describe SARE_HEAD_HDR_XLISTAD Message headers used which identify spam +score SARE_HEAD_HDR_XLISTAD 1.111 +#stype SARE_HEAD_HDR_XLISTAD spamp +#counts SARE_HEAD_HDR_XLISTAD 46s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMAILID exists:X-Mailid +describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam +score SARE_HEAD_HDR_XMAILID 0.966 +#counts SARE_HEAD_HDR_XMAILID 222s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMAILID 0s/2h of 10590 corpus (5819s/4771h CT) 07/26/05 +#was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMEBDOM exists:X-ME-bounce-domain +describe SARE_HEAD_HDR_XMEBDOM Message headers used which identify spam +score SARE_HEAD_HDR_XMEBDOM 0.555 +#stype SARE_HEAD_HDR_XMEBDOM spamp +#counts SARE_HEAD_HDR_XMEBDOM 2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XMEBDOM 8s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server +describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam +score SARE_HEAD_HDR_XMLRSRV 0.372 +#ham SARE_HEAD_HDR_XMLRSRV verified (1) +#counts SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRESPID exists:X-Response-ID +describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam +score SARE_HEAD_HDR_XRESPID 1.111 +#stype SARE_HEAD_HDR_XRESPID spamp +#counts SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRIPE exists:X-RIPE +describe SARE_HEAD_HDR_XRIPE Message headers used which identify spam +score SARE_HEAD_HDR_XRIPE 1.111 +#stype SARE_HEAD_HDR_XRIPE spamp +#counts SARE_HEAD_HDR_XRIPE 4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XRIPE 16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSAFMMI exists:X-SafeMailer-MsgId +describe SARE_HEAD_HDR_XSAFMMI Message headers used which identify spam +score SARE_HEAD_HDR_XSAFMMI 0.555 +#stype SARE_HEAD_HDR_XSAFMMI spamp +#counts SARE_HEAD_HDR_XSAFMMI 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XSAFMMI 1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA +describe SARE_HEAD_HDR_XSIDPRA fingerprint +score SARE_HEAD_HDR_XSIDPRA 0.684 +#hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005 +#counts SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result +describe SARE_HEAD_HDR_XSIDRES fingerprint +score SARE_HEAD_HDR_XSIDRES 0.684 +#hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005 +#counts SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_HEAD_HDR_XTID exists:X-TID +describe SARE_HEAD_HDR_XTID Message headers used which identify spam +score SARE_HEAD_HDR_XTID 1.111 +#stype SARE_HEAD_HDR_XTID spamp +#counts SARE_HEAD_HDR_XTID 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XTID 19s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XTID 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XWTID exists:X-WTID +describe SARE_HEAD_HDR_XWTID Message headers used which identify spam +score SARE_HEAD_HDR_XWTID 0.611 +#counts SARE_HEAD_HDR_XWTID 20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XWTID 29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XWTID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XWTID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWTID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XWTID 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_HDR_XWTVERS exists:X-WTVersion +describe SARE_HEAD_HDR_XWTVERS Message headers used which identify spam +score SARE_HEAD_HDR_XWTVERS 0.611 +#stype SARE_HEAD_HDR_XWTVERS spamp +#counts SARE_HEAD_HDR_XWTVERS 20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XWTVERS 29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XWTVERS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XWTVERS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWTVERS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XWTVERS 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_ORIG_RECIP exists:Original-Recipient +describe SARE_HEAD_ORIG_RECIP Message header used which suggests spam +score SARE_HEAD_ORIG_RECIP 0.669 +#hist SARE_HEAD_ORIG_RECIP Bob Menschel, Feb 26 2005 +#ham SARE_HEAD_ORIG_RECIP delivery delayed messages from Postmaster@justact.org +#counts SARE_HEAD_ORIG_RECIP 351s/21h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_ORIG_RECIP 388s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_ORIG_RECIP 64s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_ORIG_RECIP 10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_HEAD_ORIG_RECIP 17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_ORIG_RECIP 19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_ORIG_RECIP 64s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_ORIG_RECIP 6s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/ +describe SARE_BOUNDARY_05 Content type boundary used in spam +score SARE_BOUNDARY_05 1.666 +#stype SARE_BOUNDARY_05 vbggg +#hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005 +#counts SARE_BOUNDARY_05 5s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 +#counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_05 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_BOUNDARY_05 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i +describe SARE_BOUNDARY_06 Content type boundary used in spam +score SARE_BOUNDARY_06 1.666 +#stype SARE_BOUNDARY_06 vbggg +#hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004 +#hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005 +#counts SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s +describe SARE_BOUNDARY_08 Improbable MIME boundary format +score SARE_BOUNDARY_08 1.666 +#hist SARE_BOUNDARY_08 LW_BOUNDARY1 +#ham SARE_BOUNDARY_08 ServiceMagic , 2001 +#ham SARE_BOUNDARY_08 verizon wireless picture phone transmission +#counts SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_08 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_08 0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/ +describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus +score SARE_BOUNDARY_D10 1.400 +#ham SARE_BOUNDARY_D10 verified (1) +#hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/ +describe SARE_BOUNDARY_LC Content type boundary used in spam +score SARE_BOUNDARY_LC 1.666 +#ham SARE_BOUNDARY_LC questionable newsletters +#hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004 +#ham SARE_BOUNDARY_LC "ffff": Game Rival , ThePerfectGreeting +#counts SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_LC 30s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/ +describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses +score SARE_BOUNDARY_NP2 4.000 +#stype SARE_BOUNDARY_NP2 vbg +#hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004 +#hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004 +#counts SARE_BOUNDARY_NP2 4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 +#counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/ +describe SARE_FROM_AST Invalid character in email address +score SARE_FROM_AST 0.666 +#hist SARE_FROM_AST Originally submitted by Fred Tarasevicius +#counts SARE_FROM_AST 1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i +describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address +score SARE_FROM_CAPS_MSN 0.759 +#ham SARE_FRMO_CAPS_MSN verified (3) +#hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004 +#counts SARE_FROM_CAPS_MSN 173s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_CAPS_MSN 29s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FROM_CAPS_MSN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i +describe SARE_FROM_DRUGS2 From a drug +score SARE_FROM_DRUGS2 0.754 +#ham SARE_FRMO_DRUGS2 verified (3) +#hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma +#counts SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_FROM_DVDCOPY From =~ m'(?:DVD.*cop[iy]|\bdvd\b)'i +describe SARE_FROM_DVDCOPY From DVD abuse address +score SARE_FROM_DVDCOPY 0.630 +#ham SARE_FROM_DVDCOPY Columbia House DVD Club +#hist SARE_FROM_DVDCOPY Created by Bob Menschel Sep 04 2004 +#counts SARE_FROM_DVDCOPY 243s/28h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_DVDCOPY 24s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_DVDCOPY 31s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 +#counts SARE_FROM_DVDCOPY 98s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_DVDCOPY 24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_DVDCOPY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0 +header __SARE_FROM_NONAME From =~ /"" ?/ +describe SARE_MSGID_QMAIL1 Contains spoofing message id +score SARE_MSGID_QMAIL1 3.333 +#stype SARE_MSGID_QMAIL1 spamgg +#hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004 +#counts SARE_MSGID_QMAIL1 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 +#counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i! +describe SARE_MSGID_RATWARE2 Message-Id is +score SARE_MSGID_RATWARE2 0.683 +#hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800 +#matches SARE_MSGID_RATWARE2 numbers.numbers@letters +#counts SARE_MSGID_RATWARE2 32s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04 +#counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_RATWARE2 9s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_MSGID_RATWARE2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/ +describe SARE_MSGID_SHORT Message ID is too short to be valid. +score SARE_MSGID_SHORT 1.283 +#hist SARE_MSGID_SHORT RM_hm_ShortMsgid6 +#counts SARE_MSGID_SHORT 181s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SHORT 43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_SHORT 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MSGID_SHORT 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_MSGID_SHORT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/ +score SARE_HELO_EQ_DSL_3 0.752 +#ham SARE_HELO_EQ_DSL_3 confirmed (several) +#hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_DSL_3 35s/1h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HELO_EQ_DSL_3 34s/1h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_EQ_DSL_3 3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i +score SARE_HELO_EQ_PPPOE 0.555 +#stype SARE_HELO_EQ_PPPOE spamp +#hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i +describe SARE_HELO_YAHOO Received header has spamsign +score SARE_HELO_YAHOO 1.666 +#ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552) +#hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004 +#counts SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HELO_YAHOO 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/ +describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header +score SARE_HEAD_8BIT_RECV 1.666 +#ham SARE_HEAD_8BIT_RECV verified (1) +#hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243 +#counts SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_HEAD_8BIT_RECV 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_8BIT_RECV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_FEP5 Received =~ /by fep5\./i +describe SARE_RECV_FEP5 Message contains known spam format +score SARE_RECV_FEP5 1.666 +#ham SARE_RECV_FEP5 verified (1) +#counts SARE_RECV_FEP5 527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_RECV_FEP5 208s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_FEP5 168s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_FEP5 195s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_FREESERVE Received =~ /\bfreeserve\.com/ +describe SARE_RECV_FREESERVE spam passed through system used by spammers +score SARE_RECV_FREESERVE 0.704 +#ham SARE_RECV_FREESERVE confirmed (1) +#ham SARE_RECV_FREESERVE userid@hurrel.freeserve.co.uk, valid email sent to Yahoo groups list by subscriber +#counts SARE_RECV_FREESERVE 77s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_FREESERVE 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_FREESERVE 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_FREESERVE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_FREESERVE 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/ +describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer +score SARE_RECV_MDNETCOMBR 0.756 +#counts SARE_RECV_MDNETCOMBR 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i +describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source +score SARE_RECV_PATMEDIA 0.728 +#stype SARE_RECV_PATMEDIA spamp +#hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004 +#counts SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_PATMEDIA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i +header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i +header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i +meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 +meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 +describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header +describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header +describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header +score SARE_RECV_PORTHELO_1 2.666 +score SARE_RECV_PORTHELO_2 2.000 +score SARE_RECV_PORTHELO_3 1.666 +#note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically. +#note SARE_RECV_PORTHELO_1 We score them based on their "safety". +#hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005 +#counts SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05 +#counts SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 + +header SARE_RECV_RND_DATE Received =~ /RND_DATE/i +describe SARE_RECV_RND_DATE Spam passed through iswest.net relay +score SARE_RECV_RND_DATE 1.666 +#stype SARE_RECV_RND_DATE spamg +#counts SARE_RECV_RND_DATE 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_RND_DATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#counts SARE_RECV_RND_DATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_RECV_RND_DATE 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_RND_DATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_RND_DATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i +describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain +score SARE_RECV_SKANOVA 0.741 +#ham SARE_RECV_SKANOVA verified (several) +#hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004 +#counts SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_SKANOVA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/ +describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN02 1.666 +#ham SARE_RECV_SPAM_DOMN02 Confirmed (5) +#counts SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN02 28s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_DOMN02 44s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_SPAM_DOMN02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/ +describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN04 0.709 +#ham SARE_RECV_SPAM_DOMN04 verified (3) +#counts SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN04 3s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_SPAM_DOMN04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN04 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i +describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source +score SARE_RECV_SPAM_DOMN06 0.878 +#ham SARE_RECV_SPAM_DOMN06 verified (1) +#hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004 +#counts SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN06 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/ +describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN0a 1.666 +#ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE +#hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005 +#counts SARE_RECV_SPAM_DOMN0a 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_SPAM_DOMN0a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_SPAM_DOMN0a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/ +describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN0b 1.666 +#ham SARE_RECV_SPAM_DOMN0b confirmed (many) +#counts SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN0b 31s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_SPAM_DOMN0b 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/ +describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain +score SARE_RECV_SPEEDY_AR 1.154 +#ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" , Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89]) +#counts SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_SPEEDY_AR 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPEEDY_AR 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPEEDY_AR 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i +describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source +score SARE_RECV_UK2NET2 0.789 +#hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004 +#counts SARE_RECV_UK2NET2 29s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_UK2NET2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/ +describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer +score SARE_RECV_VIRTUACOMBR 0.680 +#ham SARE_RECV_VIRTUACOMBR confirmed (4) +#hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr +#counts SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_VIRTUACOMBR 17s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_VIRTUACOMBR 4s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +#eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/ +header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/ +meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6 +describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer +score SARE_RECV_BEZEQINT_B 0.980 +#ham SARE_RECV_BEZEQINT_B verified (4) +#hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT +#counts SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_BEZEQINT_B 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_BEZEQINT_B 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i +describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address +score SARE_RECV_IP_FROMIP1 1.666 +#hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED +#ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank +#counts SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_FROMIP1 37s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_FROMIP1 125s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_FROMIP1 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i +describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address +score SARE_RECV_IP_FROMIP3 1.666 +#match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500 +#ham SARE_RECV_IP_FROMIP3 Messages from a cell phone +#hist SARE_RECV_IP_FROMIP3 From Fred , Fri, 2 Apr 2004, RE_hrip_IPfromIPc +#counts SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_FROMIP3 15s/3h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_FROMIP3 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_FROMIP3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061050 Spam passed through possible spammer relay +score SARE_RECV_IP_061050 1.666 +#ham SARE_RECV_IP_061050 confirmed (2) +#counts SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061050 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_061050 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_061050 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061072 Passed through possible spammer relay or source +score SARE_RECV_IP_061072 1.666 +#note SARE_RECV_IP_061072 Korea Telecom +#hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004 +#ham SARE_RECV_IP_061072 verified (1) +#counts SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_061072 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061187 Passed through possible spammer relay or source +score SARE_RECV_IP_061187 0.639 +#hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_061187 14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 +#counts SARE_RECV_IP_061187 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061187 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_061187 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_061187 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061190 Spam passed through possible spammer relay +score SARE_RECV_IP_061190 1.111 +#stype SARE_RECV_IP_061190 spamp +#hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004 +#counts SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_061190 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_061190 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061228 Spam passed through possible spammer relay +score SARE_RECV_IP_061228 1.633 +#ham SARE_RECV_IP_061228 verified (1) +#counts SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061228 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_RECV_IP_061228 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_061228 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_062023 Received =~ /\[62\.23\.133\.(?:19[2-9]|2\d{2})\]/ +describe SARE_RECV_IP_062023 Passed through possible spammer relay or source +score SARE_RECV_IP_062023 1.111 +#stype SARE_RECV_IP_062023 spamp +#hist SARE_RECV_IP_062023 Created by Bob Menschel Feb 10 2005 from Spam-L info +#note SARE_RECV_IP_062023 E-Mail-Vision +#counts SARE_RECV_IP_062023 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_062023 22s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_062023 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_RECV_IP_062023 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_062023 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_062023 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_065205157 received =~ /\[65\.205\.157\.(?:19[2-9]|2[01]\d|22[0-3])\]/ +describe SARE_RECV_IP_065205157 Spam passed through possible spammer relay +score SARE_RECV_IP_065205157 1.111 +#stype SARE_RECV_IP_065205157 spamp +#hist SARE_RECV_IP_065205157 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L +#counts SARE_RECV_IP_065205157 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_RECV_IP_065205157 7s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_IP_065205157 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_065205157 67s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_065205157 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_065205157 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_064034 Received =~ /\[64\.34\.(?:\d{1,2}|1(?:[01]|2[0-7]))\.\d{1,3}\]/ +describe SARE_RECV_IP_064034 Spam passed through possible spammer relay +score SARE_RECV_IP_064034 0.639 +#stype SARE_RECV_IP_064034 spamp +#hist SARE_RECV_IP_064034 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_064034 144s/9h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_064034 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_064034 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066017 Passed through possible spammer relay or source +score SARE_RECV_IP_066017 0.689 +#ham SARE_RECV_IP_066017 confirmed (8) +#note SARE_RECV_IP_066017 Yipes Communications Inc +#hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004 +#counts SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_066017 224s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay +score SARE_RECV_IP_066165224 0.675 +#ham SARE_RECV_IP_066165224 confirmed: 3 +#hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_066165224 Cyber World Internet Services +#counts SARE_RECV_IP_066165224 7s/3h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_066165224 78s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_066248154 Received =~ /\[66\.248\.154\.\d{1,3}\]/ +describe SARE_RECV_IP_066248154 Spam passed through possible spammer relay +score SARE_RECV_IP_066248154 1.111 +#stype SARE_RECV_IP_066248154 spamp +#hist SARE_RECV_IP_066248154 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_066248154 Advanced Dedicated Database Servers LLC +#counts SARE_RECV_IP_066248154 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#max SARE_RECV_IP_066248154 8s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_RECV_IP_066248154 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066248154 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/ +describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay +score SARE_RECV_IP_069050210 0.691 +#ham SARE_RECV_IP_069050210 confirmed (2) +#hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005 +#counts SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/ +describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay +score SARE_RECV_IP_069060096 1.666 +#ham SARE_RECV_IP_069060096 verified (1) +#hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_069060096 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_069060096 2s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/ +describe SARE_RECV_IP_082080 Spam passed through possible spammer relay +score SARE_RECV_IP_082080 1.111 +#stype SARE_RECV_IP_082080 spamp +#counts SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/ +describe SARE_RECV_IP_082102 Spam passed through possible spammer relay +score SARE_RECV_IP_082102 0.555 +#stype SARE_RECV_IP_082102 spamp +#hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004 +#counts SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_082102 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_082102 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_082154 Passed through possible spammer relay or source +score SARE_RECV_IP_082154 1.144 +#ham SARE_RECV_IP_082154 confirmed (1) +#hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004 +#counts SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_082154 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_082154 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_083028 Passed through possible spammer relay or source +score SARE_RECV_IP_083028 0.874 +#ham SARE_RECV_IP_083028 verified (1) +#hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004 +#note SARE_RECV_IP_083028 Large block of IP addresses in Poland +#counts SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_083028 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_083028 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_083028 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_083028 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_140117 Passed through possible spammer relay or source +score SARE_RECV_IP_140117 1.189 +#ham SARE_RECV_IP_140117 confirmed (1) +#hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004 +#note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan +#counts SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_140117 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_140117 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_140117 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_163125 Received =~ /\[163\.125\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_163125 Spam passed through possible spammer relay +score SARE_RECV_IP_163125 1.111 +#stype SARE_RECV_IP_163125 spamp +#hist SARE_RECV_IP_163125 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_163125 Success Marketing Associates, LLC +#counts SARE_RECV_IP_163125 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_163125 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_163125 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_163125 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/ +describe SARE_RECV_IP_192116 Passed through possible spammer relay or source +score SARE_RECV_IP_192116 0.861 +#note SARE_RECV_IP_192116 GILAT-SATCOM +#hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004 +#counts SARE_RECV_IP_192116 2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_195229 Received =~ /\[195\.229\.2[45]\d\.\d{1,3}\]/ +describe SARE_RECV_IP_195229 Passed through possible spammer relay or source +score SARE_RECV_IP_195229 0.805 +#hist SARE_RECV_IP_195229 Created by Bob Menschel Aug 31 2004 +#counts SARE_RECV_IP_195229 16s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_195229 44s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_IP_195229 0s/0h of 38748 corpus (15267s/23481h JH-SA3.0rc1) 09/04/04 +#counts SARE_RECV_IP_195229 0s/0h of 19447 corpus (16862s/2585h MY) 09/04/04 +#counts SARE_RECV_IP_195229 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_195229 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_200150 Spam passed through possible spammer relay +score SARE_RECV_IP_200150 1.031 +#ham SARE_RECV_IP_200150 confirmed (2) +#hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004 +#counts SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_200150 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_200150 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_200150 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay +score SARE_RECV_IP_203210128 0.516 +#ham SARE_RECV_IP_203210128 verified (3) +#hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT) +#counts SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_203210128 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_203210128 69s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_203210128 3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/ +describe SARE_RECV_IP_203177 Passed through possible spammer relay or source +score SARE_RECV_IP_203177 0.622 +#hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004 +#ham SARE_RECV_IP_203177 verified (1) +#counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_203177 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_203177 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_206131 Spam passed through possible spammer relay +score SARE_RECV_IP_206131 1.666 +#ham SARE_RECV_IP_206131 confirmed (1) +#hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info +#note SARE_RECV_IP_206131 Minerva Network Systems, Inc. +#counts SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_206131 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_206131 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_206248152 Received =~ /\[206\.248\.153\.\d{1,3}\]/ +describe SARE_RECV_IP_206248152 Spam passed through possible spammer relay +score SARE_RECV_IP_206248152 0.617 +#ham SARE_RECV_IP_206248152 confirmed (1) +#hist SARE_RECV_IP_206248152 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_206248152 3zCanada-GTA1 +#counts SARE_RECV_IP_206248152 1s/1h of 378679 corpus (166455s/212224h RM) 07/24/05 +#max SARE_RECV_IP_206248152 19s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_RECV_IP_206248152 2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_206248152 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_209051 Spam passed through possible spammer relay +score SARE_RECV_IP_209051 1.111 +#stype SARE_RECV_IP_209051 spamp +#hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_209051 S-INFOTECH, Inc. +#counts SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_209051 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_209190 Received =~ /\[209\.190\.(?:8|9|1[0-5])\.\d{1,3}\]/ +describe SARE_RECV_IP_209190 Spam passed through possible spammer relay +score SARE_RECV_IP_209190 1.111 +#stype SARE_RECV_IP_209190 spamp +#hist SARE_RECV_IP_209190 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_209190 S-INFOTECH, Inc. +#counts SARE_RECV_IP_209190 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_209190 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_209190 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/ +describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay +score SARE_RECV_IP_216118120 2.222 +#hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_211216 Passed through possible spammer relay or source +score SARE_RECV_IP_211216 1.666 +#ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator +#hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004 +#note SARE_RECV_IP_211216 Korea Telecom +#counts SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_211216 11s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_211216 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/ +describe SARE_RECV_IP_212068 Spam passed through possible spammer relay +score SARE_RECV_IP_212068 1.111 +#stype SARE_RECV_IP_212068 spamp +#hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004 +#counts SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_212068 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_212068 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_212068 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_216022 Spam passed through possible spammer relay +score SARE_RECV_IP_216022 1.666 +#hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_216022 3s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_216022 100s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218070 Spam passed through possible spammer relay +score SARE_RECV_IP_218070 1.111 +#stype SARE_RECV_IP_218070 spamp +#counts SARE_RECV_IP_218070 4s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04 +#counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_218070 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218070 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218072 Spam passed through possible spammer relay +score SARE_RECV_IP_218072 0.794 +#hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004 +#counts SARE_RECV_IP_218072 55s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_218072 69s/2h of 120459 corpus (71363s/49096h RM) 02/12/05 +#counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_218072 91s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_218072 10s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218072 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218078 Passed through possible spammer relay or source +score SARE_RECV_IP_218078 1.666 +#hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004 +#note SARE_RECV_IP_218078 ChinaNet, Shanghai Province +#counts SARE_RECV_IP_218078 367s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_218078 71s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218078 8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218088 Passed through possible spammer relay or source +score SARE_RECV_IP_218088 1.378 +#ham SARE_RECV_IP_218088 confirmed: 1 +#note SARE_RECV_IP_218088 CHINANET sichuan province network +#hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004 +#counts SARE_RECV_IP_218088 71s/1h of 619677 corpus (318875s/300802h RM) 09/11/05 +#max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_218088 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218088 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218216 Passed through possible spammer relay or source +score SARE_RECV_IP_218216 0.740 +#ham SARE_RECV_IP_218216 confirmed (2) +#hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004 +#counts SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_218216 6s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218216 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_219128 Passed through possible spammer relay or source +score SARE_RECV_IP_219128 1.666 +#hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004 +#counts SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_219128 17s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_219128 37s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_219128 4s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_220116 Passed through possible spammer relay or source +score SARE_RECV_IP_220116 1.666 +#ham SARE_RECV_IP_220116 confirmed (1) +#hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004 +#note SARE_RECV_IP_220116 Korea Telecom +#counts SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_220116 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_221124 Spam passed through possible spammer relay +score SARE_RECV_IP_221124 1.666 +#hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004 +#counts SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_221124 12s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_221124 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222000 Passed through possible spammer relay or source +score SARE_RECV_IP_222000 0.553 +#ham SARE_RECV_IP_222000 confirmed (1) +#hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_222000 6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_222000 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222000 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222064 Spam passed through possible spammer relay +score SARE_RECV_IP_222064 1.666 +#ham SARE_RECV_IP_222064 verified (1) +#hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004 +#counts SARE_RECV_IP_222064 728s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_222064 685s/1h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_222064 27s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_222064 5s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +##################################################################################### +# SARE Reply-To Rules +######## ###################### ################################################## + +##################################################################################### +# SARE To/Cc Destination rules +######## ###################### ################################################## + +header SARE_TO_EMPTY To =~ /<>/ +describe SARE_TO_EMPTY To address is set to empty +score SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER +score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER +#hist SARE_TO_EMPTY Originally submitted by Bob Menschel +#overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128 +#counts SARE_TO_EMPTY 5s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_GDI X-Mailer=~/GDI Mailer/ +describe SARE_XMAIL_GDI Ratware mailer +score SARE_XMAIL_GDI 0.100 +#hist SARE_XMAIL_GDI Bob Menschel, Feb 25 2005 +#counts SARE_XMAIL_GDI 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_XMAIL_GDI 1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_XMAIL_GDI 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_XMAIL_GDI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_GDI 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_XMAIL_GOMAIL X-Mailer =~ /GoMail/i +describe SARE_XMAIL_GOMAIL Apparently uses spam/bulk mailer +score SARE_XMAIL_GOMAIL 1.666 +#hist SARE_XMAIL_GOMAIL Bob Menschel, Mar 4 2005, from suggestion by Alex Broens +#counts SARE_XMAIL_GOMAIL 1319s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_GOMAIL 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_XMAIL_GOMAIL 1s/0h of 10995 corpus (6568s/4427h CT) 03/10/05 +#counts SARE_XMAIL_GOMAIL 15s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05 +#counts SARE_XMAIL_GOMAIL 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 +#counts SARE_XMAIL_GOMAIL 0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/ +describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer +score SARE_XMAIL_PSSMAILER 1.111 +#stype SARE_XMAIL_PSSMAILER spamp +#hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer +#counts SARE_XMAIL_PSSMAILER 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/ +describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers +score SARE_XMAIL_RLSP 1.666 +#ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2) +#hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004 +#counts SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_XMAIL_RLSP 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +header SARE_XMAIL_TOLMAIL X-Mailer =~ /\bTOL Mailer\b/ +describe SARE_XMAIL_TOLMAIL X-Mailer used by spammer +score SARE_XMAIL_TOLMAIL 0.769 +#ham SARE_XMAIL_TOLMAIL possible (1) +#hist SARE_XMAIL_TOLMAIL Alex Broens, July 29 2005 +#counts SARE_XMAIL_TOLMAIL 41s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_XMAIL_TOLMAIL 36s/0h of 325151 corpus (158002s/167149h RM) 07/31/05 +#counts SARE_XMAIL_TOLMAIL 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/ +score SARE_HEAD_DATE14 1.666 +#counts SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE14 0s/1h of 5653 corpus (1019s/4634h ft) 06/04/05 + +header SARE_HEAD_DATE_5L Date =~ /[a-z]{5}\s*$/i +describe SARE_HEAD_DATE_5L Date header ends in 5+ letters +score SARE_HEAD_DATE_5L 0.776 +#ham SARE_HEAD_DATE_5L confirmed (5 +#hist SARE_HEAD_DATE_5L Tim Jackson, May 12 2005 +#counts SARE_HEAD_DATE_5L 395s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE_5L 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE_5L 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_DATE_5L 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_HEAD_DATE_RNDDATE Date =~ /RND/i +describe SARE_HEAD_DATE_RNDDATE Spam passed through iswest.net relay +score SARE_HEAD_DATE_RNDDATE 1.666 +#stype SARE_HEAD_DATE_RNDDATE spamg +#counts SARE_HEAD_DATE_RNDDATE 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_DATE_RNDDATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#counts SARE_HEAD_DATE_RNDDATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_DATE_RNDDATE 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_DATE_RNDDATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE_RNDDATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_MSMPR_RNDSTR X-MSMail-Priority =~ /PRIORITY_STRING/i +describe SARE_HEAD_MSMPR_RNDSTR Spam passed through iswest.net relay +score SARE_HEAD_MSMPR_RNDSTR 1.666 +#stype SARE_HEAD_MSMPR_RNDSTR spamg +#counts SARE_HEAD_MSMPR_RNDSTR 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_MSMPR_RNDSTR 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i +describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header +score SARE_HEAD_ORG_PREFIXW 0.617 +#hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/ +describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam +score SARE_HEAD_XLIB_INDY1 0.844 +#hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 +#counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/ +describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam +score SARE_HEAD_XLIB_INDY2 0.914 +#ham SARE_HEAD_XLIB_INDY2 verified (1) +#hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004 +#counts SARE_HEAD_XLIB_INDY2 124s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i +describe SARE_HEAD_XUNSENT Found spamsign header +score SARE_HEAD_XUNSENT 1.666 +#hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005 +#counts SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05 +#counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_HEAD_XWORD ALL =~ /\n(?!(?:X-Scanned|X-Windows|X-Emacs|X-Note))X-[A-Z][a-z\d]+:\s+(?:[a-z]{2,20}\s){5,}/ +describe SARE_HEAD_XWORD Spam tool +score SARE_HEAD_XWORD 1.111 +#ham SARE_HEAD_XWORD verified (1) +#hist SARE_HEAD_XWORD Loren Wilton, June 2005 +#hist SARE_HEAD_XWORD Added X-Scanned exclusion Sep 24 2005 +#counts SARE_HEAD_XWORD 114s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/ +describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header +score SARE_HEAD_8BIT_DATE 1.666 +#hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243 +#ham SARE_HEAD_8BIT_DATE verified (1) +#counts SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_HEAD_8BIT_DATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_8BIT_DATE 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i +describe SARE_MULT_VIA_CITIZNET header references apparent spam source +score SARE_MULT_VIA_CITIZNET 0.816 +#ham SARE_MULT_VIA_CITIZNET confirmed (2) +#hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004 +#counts SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MULT_VIA_CITIZNET 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MULT_VIA_CITIZNET 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MULT_VIA_CITIZNET 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + + +# EOF + +# SARE Header Abuse Ruleset for SpamAssassin -- file 2 +# Version: 01.03.16 +# Created: 2004-04-25 +# Modified: 2005-10-28 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.16 Oct 28 2005 +#@@# Minor score updates based on additional mass-check +#@@# Archived from file 2: SARE_HEAD_HDR_XAUTREPL +#@@# Archived from file 2: SARE_HEAD_HDR_XESINSR +#@@# Moved file 0 to file 2: SARE_RECV_IP_063111025 +#@@# Moved file 0 to file 2: SARE_RECV_RANDOM +#@@# Moved file 1 to file 2: SARE_FREE_WEBM_USACOPS +#@@# Moved file 1 to file 2: SARE_HEAD_HDR_XEMGBMS +#@@# Moved file 1 to file 2: SARE_HEAD_XCANIT1 +#@@# Moved file 1 to file 2: SARE_HEAD_XCANIT2 +#@@# Moved file 1 to file 2: SARE_MSGID_SPAM_DOMN0 +#@@# Moved file 1 to file 2: SARE_MSGID_SUSP2 +#@@# Moved file 1 to file 2: SARE_RECV_IP_081019 +#@@# Moved file 1 to file 2: SARE_RECV_IP_211049 +#@@# Moved file 1 to file 2: SARE_RECV_RND_NUMBER +#@@# Moved file 2 to file 0: SARE_HEAD_HDR_XE +#@@# Moved file 2 to file 1: SARE_FROM_AST +#@@# Moved file 2 to file 1: SARE_HEAD_HDR_XCNDINF +#@@# Moved file 3 to file 2: SARE_FREE_WEBM_Iamfi +#@@# Moved file 3 to file 2: SARE_MSGID_ALL_CAPHM +#@@# Moved file 3 to file 2: SARE_TOCC_MAILDOMN +#@@# Moved file 3 to file 2: SARE_XMAIL_BULK4 + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_CONVWLS exists:Conversion-With-Loss +describe SARE_HEAD_HDR_CONVWLS Message headers used which identify spam +score SARE_HEAD_HDR_CONVWLS 1.111 +#stype SARE_HEAD_HDR_CONVWLS spamp +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HEAD_HDR_CONVWLS 16s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_CONVWLS 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_EPATH exists:Error-path +describe SARE_HEAD_HDR_EPATH Message headers used which identify spam +score SARE_HEAD_HDR_EPATH 0.555 +#stype SARE_HEAD_HDR_EPATH spamp +#counts SARE_HEAD_HDR_EPATH 0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#max SARE_HEAD_HDR_EPATH 4s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_JLH exists:X-JLH +describe SARE_HEAD_HDR_JLH Message headers used which identify spam +score SARE_HEAD_HDR_JLH 1.111 +#stype SARE_HEAD_HDR_JLH spamp +#counts SARE_HEAD_HDR_JLH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_HEAD_HDR_JLH 71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_JLH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +header SARE_HEAD_HDR_REDIRTO exists:Redirect-to +describe SARE_HEAD_HDR_REDIRTO Message headers used which identify spam +score SARE_HEAD_HDR_REDIRTO 0.555 +#stype SARE_HEAD_HDR_REDIRTO spamp +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_REDIRTO 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_ROT exists:Rot +describe SARE_HEAD_HDR_ROT Message headers used which identify spam +score SARE_HEAD_HDR_ROT 0.555 +#stype SARE_HEAD_HDR_ROT spamp +#counts SARE_HEAD_HDR_ROT 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_ROT 3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_ROT 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_RTNPATH exists:List-Return-Path +describe SARE_HEAD_HDR_RTNPATH Message headers used which identify spam +score SARE_HEAD_HDR_RTNPATH 1.111 +#stype SARE_HEAD_HDR_RTNPATH spamp +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_HEAD_HDR_RTNPATH 32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_WCMSGID exists:WcMessage-ID +describe SARE_HEAD_HDR_WCMSGID Message headers used which identify spam +score SARE_HEAD_HDR_WCMSGID 0.555 +#stype SARE_HEAD_HDR_WCMSGID spamp +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_WCMSGID 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_X400MTI exists:X400-MTS-Identifier +describe SARE_HEAD_HDR_X400MTI Message headers used which identify spam +score SARE_HEAD_HDR_X400MTI 0.555 +#stype SARE_HEAD_HDR_X400MTI spamp +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_X400MTI 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XAR exists:X-AR +describe SARE_HEAD_HDR_XAR Message headers used which identify spam +score SARE_HEAD_HDR_XAR 0.555 +#stype SARE_HEAD_HDR_XAR spamp +#counts SARE_HEAD_HDR_XAR 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_HDR_XAR 2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04 +#counts SARE_HEAD_HDR_XAR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XAR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XAR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XAR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XAUTGEN exists:X-Auto-Generated +describe SARE_HEAD_HDR_XAUTGEN Message headers used which identify spam +score SARE_HEAD_HDR_XAUTGEN 0.555 +#stype SARE_HEAD_HDR_XAUTGEN spamp +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XAUTGEN 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCROSS exists:X-cross +describe SARE_HEAD_HDR_XCROSS Message headers used which identify spam +score SARE_HEAD_HDR_XCROSS 0.100 +#stype SARE_HEAD_HDR_XCROSS spamp +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XEMGBMS exists:X-EMailGateBouncedMessage +describe SARE_HEAD_HDR_XEMGBMS Message headers used which identify spam +score SARE_HEAD_HDR_XEMGBMS 0.555 +#stype SARE_HEAD_HDR_XEMGBMS spamp +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_HEAD_HDR_XEMGBMS 6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XLC exists:X-L-C +describe SARE_HEAD_HDR_XLC Message headers used which identify spam +score SARE_HEAD_HDR_XLC 0.100 +#stype SARE_HEAD_HDR_XLC spamp +#counts SARE_HEAD_HDR_XLC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XLC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XLIDCOD exists:X-LIDCode +describe SARE_HEAD_HDR_XLIDCOD Message headers used which identify spam +score SARE_HEAD_HDR_XLIDCOD 0.100 +#stype SARE_HEAD_HDR_XLIDCOD spamp +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMISCID exists:X-Misc_ID +describe SARE_HEAD_HDR_XMISCID Message headers used which identify spam +score SARE_HEAD_HDR_XMISCID 0.100 +#stype SARE_HEAD_HDR_XMISCID spamp +#hist SARE_HEAD_HDR_XMISCID FH_XMISCID +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMLCIPH exists:X-mlcipher +describe SARE_HEAD_HDR_XMLCIPH Message headers used which identify spam +score SARE_HEAD_HDR_XMLCIPH 0.100 +#stype SARE_HEAD_HDR_XMLCIPH spamp +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMLMSGI exists:X-mlmsgid +describe SARE_HEAD_HDR_XMLMSGI Message headers used which identify spam +score SARE_HEAD_HDR_XMLMSGI 0.100 +#stype SARE_HEAD_HDR_XMLMSGI spamp +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMAGDID exists:X-magdalene-ID +describe SARE_HEAD_HDR_XMAGDID Message headers used which identify spam +score SARE_HEAD_HDR_XMAGDID 0.555 +#stype SARE_HEAD_HDR_XMAGDID spamp +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XMAGDID 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMPM exists:X-mpm +describe SARE_HEAD_HDR_XMPM Message headers used which identify spam +score SARE_HEAD_HDR_XMPM 0.100 +#stype SARE_HEAD_HDR_XMPM spamp +#counts SARE_HEAD_HDR_XMPM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMS exists:X-ms +describe SARE_HEAD_HDR_XMS Message headers used which identify spam +score SARE_HEAD_HDR_XMS 0.100 +#stype SARE_HEAD_HDR_XMS spamp +#counts SARE_HEAD_HDR_XMS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XNOSPAM exists:X-No-Spam +describe SARE_HEAD_HDR_XNOSPAM Message headers used which identify spam +score SARE_HEAD_HDR_XNOSPAM 1.111 +#stype SARE_HEAD_HDR_XNOSPAM spamp +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_HDR_XNOSPAM 12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XNOSPAM 4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XNTC exists:X-ntc +describe SARE_HEAD_HDR_XNTC Message headers used which identify spam +score SARE_HEAD_HDR_XNTC 0.100 +#stype SARE_HEAD_HDR_XNTC spamp +#counts SARE_HEAD_HDR_XNTC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPOPB4S exists:X-Pop-Before-SMTP-Sender +describe SARE_HEAD_HDR_XPOPB4S Message headers used which identify spam +score SARE_HEAD_HDR_XPOPB4S 0.555 +#stype SARE_HEAD_HDR_XPOPB4S spamp +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#max SARE_HEAD_HDR_XPOPB4S 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPOPFLK exists:X-POPFile-Link +describe SARE_HEAD_HDR_XPOPFLK Message headers used which identify spam +score SARE_HEAD_HDR_XPOPFLK 0.555 +#stype SARE_HEAD_HDR_XPOPFLK spamp +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XPOPFLK 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMS exists:X-Prioserve-MailScanner +describe SARE_HEAD_HDR_XPRIOMS Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMS 0.555 +#stype SARE_HEAD_HDR_XPRIOMS spamp +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMS 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMF exists:X-Prioserve-MailScanner-From +describe SARE_HEAD_HDR_XPRIOMF Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMF 0.555 +#stype SARE_HEAD_HDR_XPRIOMF spamp +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMF 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMI exists:X-Prioserve-MailScanner-Information +describe SARE_HEAD_HDR_XPRIOMI Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMI 0.555 +#stype SARE_HEAD_HDR_XPRIOMI spamp +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMI 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPIROMC exists:X-Prioserve-MailScanner-SpamCheck +describe SARE_HEAD_HDR_XPIROMC Message headers used which identify spam +score SARE_HEAD_HDR_XPIROMC 0.555 +#stype SARE_HEAD_HDR_XPIROMC spamp +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPIROMC 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRBLTST exists:X-RBL-TST +describe SARE_HEAD_HDR_XRBLTST Message headers used which identify spam +score SARE_HEAD_HDR_XRBLTST 0.555 +#stype SARE_HEAD_HDR_XRBLTST spamp +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 +#max SARE_HEAD_HDR_XRBLTST 2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XREC exists:X-Rec +describe SARE_HEAD_HDR_XREC Message headers used which identify spam +score SARE_HEAD_HDR_XREC 2.222 +#stype SARE_HEAD_HDR_XREC spamp +#counts SARE_HEAD_HDR_XREC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XREC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XREC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSPAMSC exists:X-Spam-Score +describe SARE_HEAD_HDR_XSPAMSC Message headers used which identify spam +score SARE_HEAD_HDR_XSPAMSC 0.555 +#stype SARE_HEAD_HDR_XSPAMSC spamp +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XSPAMSC 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSRK exists:X-srk +describe SARE_HEAD_HDR_XSRK Message headers used which identify spam +score SARE_HEAD_HDR_XSRK 0.100 +#stype SARE_HEAD_HDR_XSRK spamp +#counts SARE_HEAD_HDR_XSRK 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSUBID exists:X-SubID +describe SARE_HEAD_HDR_XSUBID Message headers used which identify spam +score SARE_HEAD_HDR_XSUBID 0.555 +#stype SARE_HEAD_HDR_XSUBID spamp +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 +#max SARE_HEAD_HDR_XSUBID 3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSUBID 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XTRANS exists:X-Trans +describe SARE_HEAD_HDR_XTRANS Message headers used which identify spam +score SARE_HEAD_HDR_XTRANS 0.100 +#stype SARE_HEAD_HDR_XTRANS spamp +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XTXTCLS exists:X-Text-Classification +describe SARE_HEAD_HDR_XTXTCLS Message headers used which identify spam +score SARE_HEAD_HDR_XTXTCLS 0.555 +#stype SARE_HEAD_HDR_XTXTCLS spamp +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XTXTCLS 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XVIG exists:X-Vig +describe SARE_HEAD_HDR_XVIG Message headers used which identify spam +score SARE_HEAD_HDR_XVIG 0.100 +#stype SARE_HEAD_HDR_XVIG spamp +#counts SARE_HEAD_HDR_XVIG 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XYD exists:X-yd +describe SARE_HEAD_HDR_XYD Message headers used which identify spam +score SARE_HEAD_HDR_XYD 0.100 +#stype SARE_HEAD_HDR_XYD spamp +#counts SARE_HEAD_HDR_XYD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XYD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XYD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XYD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XYD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XI exists:X-I +describe SARE_HEAD_HDR_XI Message headers used which identify spam +score SARE_HEAD_HDR_XI 0.100 +#stype SARE_HEAD_HDR_XI spamp +#counts SARE_HEAD_HDR_XI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XIM exists:X-IM +describe SARE_HEAD_HDR_XIM Message headers used which identify spam +score SARE_HEAD_HDR_XIM 0.100 +#stype SARE_HEAD_HDR_XIM spamp +#counts SARE_HEAD_HDR_XIM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XIM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XIM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XIM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XIM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +full SARE_CONTENT_BITBITNUM /\nContent-Encoding: BitBitNUM\n/ +describe SARE_CONTENT_BITBITNUM Unlikely content encoding +score SARE_CONTENT_BITBITNUM 1.406 +#hist SARE_CONTENT_BITBITNUM Loren Wilton, Feb 1 2005 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_CONTENT_BITBITNUM 153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05 +#counts SARE_CONTENT_BITBITNUM 64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header SARE_FROM_AMERICA From =~ /[^\-]\bamerica\.com\b/i +describe SARE_FROM_AMERICA From user address is used by spammer +score SARE_FROM_AMERICA 1.111 +#stype SARE_FROM_AMERICA spamp +#hist SARE_FROM_AMERICA Created by Bob Menschel Sep 24 2004 +#counts SARE_FROM_AMERICA 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#max SARE_FROM_AMERICA 5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_FROM_AMERICA 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_FROM_AMERICA 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_AMERICA 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_FROM_AMERICA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_AMERICA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_DOMN2 From =~ /\@wses\.(?:com|org)/i +describe SARE_FROM_SPAM_DOMN2 From address suggests this is spam +score SARE_FROM_SPAM_DOMN2 0.100 +#stype SARE_FROM_SPAM_DOMN2 spamp +#hist SARE_FROM_SPAM_DOMN2 RM_fa_wses +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_VIRUS1 ALL=~ /From:\ssupport\@microsoft.com/ +describe SARE_FROM_VIRUS1 From address suggests this is a virus +score SARE_FROM_VIRUS1 3.333 +#stype SARE_FROM_VIRUS1 vbgg +#counts SARE_FROM_VIRUS1 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_FROM_VIRUS1 21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_FROM_VIRUS1 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_VIRUS1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_VIRUS1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_Iamfi From =~ /\biamfinallyonline\.com/i +describe SARE_FREE_WEBM_Iamfi Sender used free email account - may be spammer +score SARE_FREE_WEBM_Iamfi 0.555 +#stype SARE_FREE_WEBM_Iamfi spamp +#hist SARE_FREE_WEBM_Iamfi Created by Bob Menschel Apr 09 2004 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_FREE_WEBM_Iamfi 3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FREE_WEBM_Iamfi 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_USACOPS From =~ /\@usacops\.com/i +describe SARE_FREE_WEBM_USACOPS Maybe spammer with free email +score SARE_FREE_WEBM_USACOPS 0.555 +#stype SARE_FREE_WEBM_USACOPS spamp +#hist SARE_FREE_WEBM_USACOPS Created by Bob Menschel Feb 24 2005 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_FREE_WEBM_USACOPS 2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_FREE_WEBM_USACOPS 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_06D6 MESSAGEID =~ /<0{6}\d{6}\$\d/ +describe SARE_MSGID_06D6 Message-ID has ratware pattern (000009999$9) +score SARE_MSGID_06D6 1.061 +#counts SARE_MSGID_06D6 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_MSGID_06D6 91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04 +#counts SARE_MSGID_06D6 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_06D6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_06D6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_06D6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i +meta SARE_MSGID_ALL_CAPHM __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS +describe SARE_MSGID_ALL_CAPHM Ratware all-caps message-id +score SARE_MSGID_ALL_CAPHM 1.666 +#stype SARE_MSGID_ALL_CAPHM spamg +#hist SARE_MSGID_ALL_CAPHM Created by Bob Menschel May 15 2004 +#note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04 +#max SARE_MSGID_ALL_CAPHM 1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_ALL_CAPHM 1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i +meta SARE_MSGID_ALL_CAPMS __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS +describe SARE_MSGID_ALL_CAPMS Ratware all-caps message-id +score SARE_MSGID_ALL_CAPMS 1.666 +#hist SARE_MSGID_ALL_CAPMS Created by Bob Menschel May 15 2004 +#note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_H7H4H4 MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/ +describe SARE_MSGID_H7H4H4 Message-ID has ratware pattern (7hex$4hex$4hex@) +score SARE_MSGID_H7H4H4 0.222 +#counts SARE_MSGID_H7H4H4 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_MSGID_H7H4H4 2s/0h of 115439 corpus (94250s/21189h) 04/30/04 +#counts SARE_MSGID_H7H4H4 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_H7H4H4 2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_H7H4H4 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_H7H4H4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_H7H4H4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_SPAM_DOMN0 MESSAGEID =~ /\bjeanvaljean\.com/i +describe SARE_MSGID_SPAM_DOMN0 Message ID implies possible spammer relay +score SARE_MSGID_SPAM_DOMN0 1.666 +#stype SARE_MSGID_SPAM_DOMN0 spamg +#hist SARE_MSGID_SPAM_DOMN0 Created by Bob Menschel Mar 22 2004 +#hist SARE_MSGID_SPAM_DOMN0 Removed moosq.com, since now in specific.cf +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_MSGID_SPAM_DOMN0 1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_ALPHA_NUM MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/ +header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/ +header __SARE_MSGID_SUSP2 MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/ +meta SARE_MSGID_SUSP2 __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM +describe SARE_MSGID_SUSP2 Message-Id is +score SARE_MSGID_SUSP2 3.000 +#hist SARE_MSGID_SUSP2 Loren Wilton, LW_BOGUS_MSGID6 +#hist SARE_MSGID_SUSP2 Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude +#V300 SARE_MSGID_SUSP2 strong overlap with MSGID_SPAM_ALPHA_NUM +#counts SARE_MSGID_SUSP2 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#alone SARE_MSGID_SUSP2 174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#max SARE_MSGID_SUSP2 9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MSGID_SUSP2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_SUSP2 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SUSP2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MSGID_SUSP2 187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_SUSP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_SUSP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_AOLID Received =~ /helo=aol\.com ident=/ +describe SARE_HELO_AOLID Spam passed through apparent spammer relay +score SARE_HELO_AOLID 0.611 +#counts SARE_HELO_AOLID 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HELO_AOLID 10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_HELO_AOLID 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HELO_AOLID 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_AOLID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_AOLID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR2 Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/ +describe SARE_RECV_ADDR2 Received header missing a FQDN, IP only. +score SARE_RECV_ADDR2 0.100 +#counts SARE_RECV_ADDR2 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR3 Received =~ /^from \(.?\[.?\].?\)\b/ +describe SARE_RECV_ADDR3 Received header contains an empty Recieved IP. +score SARE_RECV_ADDR3 0.100 +#counts SARE_RECV_ADDR3 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR3 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR3 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR4 Received =~ /^from unknown \(\w+ \w+\)\b/ +describe SARE_RECV_ADDR4 Received contains unknown FQDN with possible HELO. +score SARE_RECV_ADDR4 0.100 +#counts SARE_RECV_ADDR4 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR5 Received =~ /^from \(HELO \w+\) \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by / +describe SARE_RECV_ADDR5 RCVD header has no FQDN and a HELO. +score SARE_RECV_ADDR5 0.100 +#counts SARE_RECV_ADDR5 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_RECV_CHAR_DASHS Received =~ /---/ +header __SARE_RECV_CHAR_DOTS Received =~ /\.\./ +meta SARE_RECV_CHAR_DSHDT __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS +describe SARE_RECV_CHAR_DSHDT Strange dashes and dots in received line +score SARE_RECV_CHAR_DSHDT 0.500 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_RECV_CHAR_DSHDT 7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_CHAR_DSHDT 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ESMTP Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; / +describe SARE_RECV_ESMTP Received header has forged lowercase 'esmtp' relay +score SARE_RECV_ESMTP 0.100 +#counts SARE_RECV_ESMTP 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ESMTP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ESMTP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ESMTP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_RANDOM Received =~ /helo[ =].{1,30}/ +header __SARE_MULT_RATW_03B Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3};/ +header __SARE_MULT_RATW_03C Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by ;/ +header __SARE_MULT_RATW_03D Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by web\d{1,4}\.mail\.yahoo\.com;/ +header __SARE_MULT_RATW_03F Received =~ /\bfrom ([A-Z][\w\.]+) by \1$/ +header __SARE_MULT_RATW_03G Received =~ /\%HEAD_RND_DOM/ +header __SARE_MULT_RATW_03H Received =~ /\(qmail 14413 invoked from network\);/ +header __SARE_MULT_RATW_03I ALL =~ /\bX-Mailer: [a-z]+ [a-z]+\n[a-z]+\-[a-z]+: [a-z]+ [a-z]+ [a-z]+\n/s +meta SARE_MULT_RATW_03 (__SARE_MULT_RATW_03A && (__SARE_MULT_RATW_03B || __SARE_MULT_RATW_03C || __SARE_MULT_RATW_03D || __SARE_MULT_RATW_03E || __SARE_MULT_RATW_03F || __SARE_MULT_RATW_03G || __SARE_MULT_RATW_03H || __SARE_MULT_RATW_03I)) +describe SARE_MULT_RATW_03 Spammer sign in headers +score SARE_MULT_RATW_03 1.666 +#hist SARE_MULT_RATW_03 LW_RATWARE4 +#counts SARE_MULT_RATW_03 0s/0h of 196708 corpus (96197s/100511h RM) 02/21/05 +#max SARE_MULT_RATW_03 321s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_MULT_RATW_03 57s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MULT_RATW_03 172s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MULT_RATW_03 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MULT_RATW_03 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MULT_RATW_03 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MULT_RATW_03 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_CONT_RNDCONT Content-Transfer-Encoding =~ /CONTENT_ENCODING/i +describe SARE_HEAD_CONT_RNDCONT Spam passed through iswest.net relay +score SARE_HEAD_CONT_RNDCONT 1.166 +#counts SARE_HEAD_CONT_RNDCONT 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05 +#counts SARE_HEAD_CONT_RNDCONT 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_CONT_RNDCONT 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_CONT_RNDCONT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_CONT_RNDCONT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_HEAD_SUBJ_RAND Subject =~ /^(?:R[Ee]: )?(?:[a-z]{2,20}[\-\.\,]?\s?){1,8}/ # no /i! +meta SARE_HEAD_SUBJ_RAND (__SARE_HEAD_SUBJ_RAND && (SARE_XMAIL_SUSP2 || SARE_HEAD_XAUTH_WARN || X_AUTH_WARN_FAKED)) +describe SARE_HEAD_SUBJ_RAND Subject is possibly random words +score SARE_HEAD_SUBJ_RAND 1.033 +#hist SARE_HEAD_SUBJ_RAND LW_BOGUS_SUBJECT +#hist SARE_HEAD_SUBJ_RAND Added option for 3.0 rule X_AUTH_WARN_FAKED +#note SARE_HEAD_SUBJ_RAND Stored in HEADER rule set rather than SUBJ rule set because of its meta dependencies. +#ham SARE_HEAD_SUBJ_RAND confirmed (1): Re: entropy depletion +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_HEAD_SUBJ_RAND 343s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_SUBJ_RAND 82s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_SUBJ_RAND 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_TOCC_DEFHNDL All =~ /TO_CC_DEFAULT_HANDLER/i +describe SARE_HEAD_TOCC_DEFHNDL Spam passed through iswest.net relay +score SARE_HEAD_TOCC_DEFHNDL 1.166 +#counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05 +#counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning =~ /\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/ +describe SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning: Contains Spam Signature. +score SARE_HEAD_XAUTH_WARN2 2.500 +#stype SARE_HEAD_XAUTH_WARN2 spamg +#hist SARE_HEAD_XAUTH_WARN2 Mike Hogsett, Tuesday, May 25, 2004, CSL_X_AUTH_WARN_2 +#counts SARE_HEAD_XAUTH_WARN2 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_XAUTH_WARN2 46s/0h of 60623 corpus (35501s/25122h RM) 08/11/04 +#counts SARE_HEAD_XAUTH_WARN2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_HEAD_XAUTH_WARN2 14s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HEAD_XAUTH_WARN2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XAUTH_WARN2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XAUTH_WARN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XAUTH_WARN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XCANIT1 X-CanItPRO-Stream =~ /^sbw\b/ +describe SARE_HEAD_XCANIT1 Message headers used which identify spam +score SARE_HEAD_XCANIT1 1.111 +#stype SARE_HEAD_XCANIT1 spamp +#hist SARE_HEAD_XCANIT1 Enhanced from original SARE_HEAD_HDR_XCANITP rule with help from RoaringPenguin +#counts SARE_HEAD_XCANIT1 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#max SARE_HEAD_XCANIT1 7s/0h of 68480 corpus (41098s/27382h RM) 09/18/04 +#counts SARE_HEAD_XCANIT1 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_XCANIT1 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_XCANIT1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XCANIT1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_HEAD_XCANIT_H exists:X-CanItPRO-Stream +header __SARE_HEAD_XCANIT_S exists:X-Scanned-By +meta SARE_HEAD_XCANIT2 __SARE_HEAD_XCANIT_H && !__SARE_HEAD_XCANIT_S +describe SARE_HEAD_XCANIT2 Incomplete anti-spam headers signifying spam +score SARE_HEAD_XCANIT2 0.555 +#stype SARE_HEAD_XCANIT2 spamp +#hist SARE_HEAD_XCANIT2 Created by Bob Menschel Jan 29 2005 from information provided by RoaringPenguin +#counts SARE_HEAD_XCANIT2 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_XCANIT2 2s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_HEAD_XCANIT2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_XCANIT2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_XCANIT2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XCANIT2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XORIP_IP X-Originating-IP =~ /IP/i +describe SARE_HEAD_XORIP_IP header points to probable spammer +score SARE_HEAD_XORIP_IP 3.333 +#stype SARE_HEAD_XORIP_IP spamg +#counts SARE_HEAD_XORIP_IP 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HEAD_XORIP_IP 4347s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XORIP_IP 26s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XORIP_IP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XPRI_RNDNUM X-Priority =~ /PRIORITY_NUMBER/i +describe SARE_HEAD_XPRI_RNDNUM Spam passed through iswest.net relay +score SARE_HEAD_XPRI_RNDNUM 1.666 +#stype SARE_HEAD_XPRI_RNDNUM spamg +#counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05 +#counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +# EOF + +# SARE Header Abuse Ruleset for SpamAssassin -- file 3 +# Version: 01.03.16 +# Created: 2004-04-25 +# Modified: 2005-10-28 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.16 Oct 28 2005 +#@@# Minor score updates based on additional mass-check +#@@# Archived from file 3: SARE_FREE_WEBM_Excite +#@@# Archived from file 3: SARE_FREE_WEBM_Softhom +#@@# Archived from file 3: SARE_FROM_NUM_8DIG; rely on SARE_FROM_NUM_9DIG and SA distrib FROM_ENDS_IN_NUMS +#@@# Archived from file 3: SARE_HEAD_HDR_XT2PID +#@@# Archived from file 3: SARE_MSGID_ADDED +#@@# Archived from file 3: SARE_MSGID_LONG35 +#@@# Archived from file 3: SARE_MULT_VIA_FWCATS +#@@# Archived from file 3: SARE_RECV_IP_064152200 +#@@# Archived from file 3: SARE_RECV_ISWEST +#@@# Archived from file 3: SARE_RECV_MANYMX +#@@# Archived from file 3: SARE_TOCC_BCC_MANY +#@@# Archived from file 3: SARE_XMAIL_XMAIL +#@@# Moved file 1 to file 3: SARE_FROM_NONAME +#@@# Moved file 1 to file 3: SARE_FROM_SPAM_CHAR0 +#@@# Moved file 1 to file 3: SARE_HEAD_XCOM_RFCMIN +#@@# Moved file 1 to file 3: SARE_RECV_IP_080178 +#@@# Moved file 1 to file 3: SARE_XMAIL_SUSP3 +#@@# Moved file 3 to file 1: SARE_FROM_SPAM_MONEY2 +#@@# Moved file 3 to file 2: SARE_FREE_WEBM_Iamfi +#@@# Moved file 3 to file 2: SARE_MSGID_ALL_CAPHM +#@@# Moved file 3 to file 2: SARE_TOCC_MAILDOMN +#@@# Moved file 3 to file 2: SARE_XMAIL_BULK4 +#@@# Moved file 3 to file 4: SARE_FREE_WEBM_EsYahoo +#@@# Moved file 3 to file 4: SARE_FREE_WEBM_FrYahoo +#@@# Moved file 3 to file 4: SARE_FREE_WEBM_MYWAY +#@@# Moved file 3 to file 4: SARE_FROM_LEAD_PREP +#@@# Moved file 3 to file 4: SARE_FROM_NUM_9DIG +#@@# Moved file 3 to file 4: SARE_MSGID_ALL_LC +#@@# Moved file 3 to file 4: SARE_MSGID_LONG55 +#@@# Moved file 3 to file 4: SARE_MSGID_LONG65 +#@@# Moved file 3 to file 4: SARE_MSGID_LONG75 +#@@# Moved file 3 to file 4: SARE_MULT_LCASE_X2 +#@@# Moved file 3 to file 4: SARE_RECV_SPAM_DOMN05 +#@@# Moved file 3 to file 4: SARE_RECV_SUSP_3 +#@@# Replaced __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_header3.cf + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_XKRNL exists:X-Kernel +describe SARE_HEAD_HDR_XKRNL fingerprint +score SARE_HEAD_HDR_XKRNL 1.405 +#hist SARE_HEAD_HDR_XKRNL Alex Broens, June 30, 2005 +#counts SARE_HEAD_HDR_XKRNL 63s/19h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XKRNL 43s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XKRNL 200s/0h of 12846 corpus (4657s/8189h MM) 06/30/05 + +header SARE_HEAD_HDR_XSEQ exists:X-Sequence +describe SARE_HEAD_HDR_XSEQ Rarely abused email header +score SARE_HEAD_HDR_XSEQ -0.699 +#stype SARE_HEAD_HDR_XSEQ ham +tflags SARE_HEAD_HDR_XSEQ nice +#hist SARE_HEAD_HDR_XSEQ Loren Wilton, July 29 2005 +#counts SARE_HEAD_HDR_XSEQ 42s/1113h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSEQ 0s/0h of 10551 corpus (5780s/4771h CT) 07/29/05 + +header SARE_HEAD_HDR_XCCDIAG exists:X-CC-Diagnostic +describe SARE_HEAD_HDR_XCCDIAG Message headers used which identify spam +score SARE_HEAD_HDR_XCCDIAG 0.100 +#ham SARE_HEAD_HDR_XCCDIAG confirmed (1) +#counts SARE_HEAD_HDR_XCCDIAG 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_HDR_XCCDIAG 4s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +header __SARE_HEAD_HDR_XCNTRY exists:X-country +header __SARE_HEAD_HDR_XLANG exists:X-language +meta SARE_HEAD_HDR_XCNTRY __SARE_HEAD_HDR_XCNTRY || __SARE_HEAD_HDR_XLANG +describe SARE_HEAD_HDR_XCNTRY Message headers used which identify spam +score SARE_HEAD_HDR_XCNTRY 0.250 +#ham SARE_HEAD_HDR_XCNTRY confirmed (1, valid paypal email to user) +#counts SARE_HEAD_HDR_XCNTRY 24s/15h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_HDR_XCNTRY 153s/0h of 69632 corpus (42598s/27034h RM) 09/26/04 +#counts SARE_HEAD_HDR_XCNTRY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XCNTRY 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCNTRY 53s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCNTRY 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_HEAD_HDR_XCNTRY 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_XCNTRY 0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_HEAD_HDR_XKASPAV exists:X-Kaspersky-Antivirus +describe SARE_HEAD_HDR_XKASPAV Message headers used which identify spam +score SARE_HEAD_HDR_XKASPAV 1.136 +#ham SARE_HEAD_HDR_XKASPAV Can be found in ham from Europe/Asia, esp. Russia +#note SARE_HEAD_HDR_XKASPAV Keep in file 3 because " +#counts SARE_HEAD_HDR_XKASPAV 200s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XKASPAV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XKASPAV 37s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XKASPAV 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XKASPAV 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XKASPAV 3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_HDR_XMAILTH exists:X-Mailer-Thread +describe SARE_HEAD_HDR_XMAILTH Message headers used which identify spam +score SARE_HEAD_HDR_XMAILTH 0.338 +#ham SARE_HEAD_HDR_XMAILTH verified (1), likely (7) +#counts SARE_HEAD_HDR_XMAILTH 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XMAILTH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMAILTH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMAILTH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMAILTH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMSGID exists:X-MSGID +describe SARE_HEAD_HDR_XMSGID Message headers used which identify spam +score SARE_HEAD_HDR_XMSGID 0.696 +#ham SARE_HEAD_HDR_XMSGID bankofamerica.com, also X-Mailer: Supernova +#counts SARE_HEAD_HDR_XMSGID 126s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRETURN exists:X-Return +describe SARE_HEAD_HDR_XRETURN Message headers used which identify spam +score SARE_HEAD_HDR_XRETURN 0.119 +#ham SARE_HEAD_HDR_XRETURN confirmed (1), Freelance Work Exchange +#counts SARE_HEAD_HDR_XRETURN 64s/29h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRETURN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRETURN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRETURN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRETURN 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_HDR_XSMTPSV exists:X-SMTP-Server +describe SARE_HEAD_HDR_XSMTPSV Message headers used which identify spam +score SARE_HEAD_HDR_XSMTPSV 0.338 +#ham SARE_HEAD_HDR_XSMTPSV verified (1) +#counts SARE_HEAD_HDR_XSMTPSV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSYSTEM exists:X-System +describe SARE_HEAD_HDR_XSYSTEM Message headers used which identify spam +score SARE_HEAD_HDR_XSYSTEM 0.625 +#ham SARE_HEAD_HDR_XSYSTEM X-System: Linux hell 2.6.8 i686 +#counts SARE_HEAD_HDR_XSYSTEM 25s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSYSTEM 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_HDR_XUMAIL exists:X-UMail +describe SARE_HEAD_HDR_XUMAIL Message headers used which identify spam +score SARE_HEAD_HDR_XUMAIL 0.338 +#ham SARE_HEAD_HDR_XUMAIL verified (1) +#counts SARE_HEAD_HDR_XUMAIL 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XUMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XUMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XUMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XUMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XUNOLOOK exists:X-unolookiehere +describe SARE_HEAD_HDR_XUNOLOOK Unique X-header found in email +score SARE_HEAD_HDR_XUNOLOOK -1.000 +#stype SARE_HEAD_HDR_XUNOLOOK ham +tflags SARE_HEAD_HDR_XUNOLOOK nice +#counts SARE_HEAD_HDR_XUNOLOOK 0s/267h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +header SARE_HEAD_HDR_XUNSUB exists:X-Unsubscribe +describe SARE_HEAD_HDR_XUNSUB Message headers used which identify spam +score SARE_HEAD_HDR_XUNSUB -0.694 +tflags SARE_HEAD_HDR_XUNSUB nice +#stype SARE_HEAD_HDR_XUNSUB ham +#ham SARE_HEAD_HDR_XUNSUB Used by valid newsletters or lists +#counts SARE_HEAD_HDR_XUNSUB 0s/25h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_HDR_XUNSUB 15s/94h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_HDR_XUNSUB 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XUNSUB 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XUNSUB 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XUNSUB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __HAS_RCVD exists:Received +header __SARE_HEAD_MOZ_DRAFT exists:X-Mozilla-Draft-Info +meta SARE_HEAD_MOZ_DRAFT __SARE_HEAD_MOZ_DRAFT && __HAS_RCVD +score SARE_HEAD_MOZ_DRAFT 0.646 +#ham SARE_HEAD_MOZ_DRAFT ham seems to be only on mails added to corpus from "sent" folders +#ham SARE_HEAD_MOZ_DRAFT Seen in ham starting 4/23/05. Update to Mozilla email client? +#counts SARE_HEAD_MOZ_DRAFT 0s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_MOZ_DRAFT 195s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 +#counts SARE_HEAD_MOZ_DRAFT 48s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_MOZ_DRAFT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_MOZ_DRAFT 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_MOZ_DRAFT 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_MOZ_DRAFT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_MULTB Content-Type =~ /boundary="= Multipart Boundary /i +describe SARE_BOUNDARY_MULTB Content type boundary used in spam and viruses +score SARE_BOUNDARY_MULTB 0.229 +#ham SARE_BOUNDARY_MULTB confirmed(2), moveon.org, bordc.org +#hist SARE_BOUNDARY_MULTB Created by Bob Menschel Aug 24 2004 +#counts SARE_BOUNDARY_MULTB 216s/53h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_MULTB 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_BOUNDARY_MULTB 5s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_MULTB 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_MULTB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header SARE_FROM_DEBT From =~ m'debt'i +describe SARE_FROM_DEBT From debt spammer +score SARE_FROM_DEBT 0.736 +#ham SARE_FROM_DEBT ffcdebthelp.com +#hist SARE_FROM_DEBT Created by Fred Tarasevicius Sep 14 2004 +#counts SARE_FROM_DEBT 858s/30h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_DEBT 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_DEBT 84s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FROM_DEBT 93s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_FROM_DEBT 24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_DEBT 37s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FROM_DLL From =~ m'\b\d[a-z][a-z]\.(?:com|net|biz|info)\b'i +describe SARE_FROM_DLL Via a digit-letter-letter domain +score SARE_FROM_DLL 0.473 +#ham SARE_FROM_DLL verified (3) +#hist SARE_FROM_DLL Created by Bob Menschel Aug 23 2004 +#counts SARE_FROM_DLL 156s/22h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_DLL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_DLL 6s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_FROM_DLL 9s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_DLL 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_DLL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_MULTI_DASH From =~ /\@.*--/ +describe SARE_FROM_MULTI_DASH From domain has multiple consecutive hyphens +score SARE_FROM_MULTI_DASH 0.934 +#hist SARE_FROM_MULTI_DASH Tim Jackson, May 12 2005 +#ham SARE_FROM_MULTI_DASH Valid email seen from gs at g--s dot de +#counts SARE_FROM_MULTI_DASH 29s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_MULTI_DASH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_MULTI_DASH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_FROM_MULTI_DASH 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_FROM_NONAME From =~ /"" +#counts SARE_FROM_PHRASE 222s/88h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_PHRASE 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FROM_PHRASE 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_PHRASE 16s/6h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FROM_PHRASE 17s/5h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FROM_PHRASE 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FROM_PHRASE 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FROM_PHRASE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_PRINTER From =~ /\bprinter\b/i +describe SARE_FROM_PRINTER From user address seems to contain spam topic +score SARE_FROM_PRINTER 0.444 +#counts SARE_FROM_PRINTER 69s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FROM_PRINTER 98s/4h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_FROM_PRINTER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_PRINTER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_PRINTER 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_PRINTER 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_PRINTER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_QUOTE From =~ /quote/i +describe SARE_FROM_QUOTE From name/address has "quote" as part of it +score SARE_FROM_QUOTE 0.473 +#hist SARE_FROM_QUOTE Fred Tarasevicius, FH_FROM_QUOTE +#ham SARE_FROM_QUOTE resume from email account at intelliquote.com, hostquote@webhostdir.com +#ham SARE_FROM_QUOTE WisdomToday.com +#counts SARE_FROM_QUOTE 419s/83h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_QUOTE 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_QUOTE 282s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_QUOTE 16s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_QUOTE 4s/2h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_FROM_SPAM_CHAR0a From =~ /^\?/i +describe SARE_FROM_SPAM_CHAR0a Sender name has unexpected or invalid characters +score SARE_FROM_SPAM_CHAR0a 0.636 +#counts SARE_FROM_SPAM_CHAR0a 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR0a 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_CHAR0a 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_CHAR0a 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_SPAM_CHAR0a 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SPAM_CHAR0a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_CHAR0b From =~ /^\$/i +describe SARE_FROM_SPAM_CHAR0b Sender name has unexpected or invalid characters +score SARE_FROM_SPAM_CHAR0b 0.636 +#counts SARE_FROM_SPAM_CHAR0b 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR0b 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_CHAR0b 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_CHAR0b 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_SPAM_CHAR0b 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SPAM_CHAR0b 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_CHAR5 From =~ /zzz/i +describe SARE_FROM_SPAM_CHAR5 Sender name has unlikely character string +score SARE_FROM_SPAM_CHAR5 0.640 +#ham SARE_FROM_SPAM_CHAR5 Postmaster (valid bounce) +#counts SARE_FROM_SPAM_CHAR5 114s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR5 4s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FROM_SPAM_CHAR5 30s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_SPAM_CHAR5 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_SPAM_CHAR5 9s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_SPAM_CHAR5 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_SPAM_CHAR5 0s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FROM_SUPPORT_DIG From =~ /\bsupport\d/i +describe SARE_FROM_SUPPORT_DIG From user address is used by spammer +score SARE_FROM_SUPPORT_DIG 0.135 +#ham SARE_FROM_SUPPORT_DIG support1 @ $10domains.com +#hist SARE_FROM_SUPPORT_DIG Created by Bob Menschel Oct 07 2004 +#counts SARE_FROM_SUPPORT_DIG 9s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FROM_SUPPORT_DIG 25s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_FROM_SUPPORT_DIG 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SUPPORT_DIG 1s/4h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_SUPPORT_DIG 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SUPPORT_DIG 5s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_123 From =~ /\b123\.com/i +describe SARE_FREE_WEBM_123 Sender used free email account - may be spammer +score SARE_FREE_WEBM_123 0.389 +#ham SARE_FREE_WEBM_123 confirmed: 1, anonymous response via feedback page +#counts SARE_FREE_WEBM_123 14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FREE_WEBM_123 62s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_FREE_WEBM_123 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#max SARE_FREE_WEBM_123 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_123 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#max SARE_FREE_WEBM_123 10s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FREE_WEBM_123 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_123 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_CZSEZNA From =~ /\@seznam\.cz/i +describe SARE_FREE_WEBM_CZSEZNA Sender used free email account - may be spammer +score SARE_FREE_WEBM_CZSEZNA 0.248 +#hist SARE_FREE_WEBM_CZSEZNA Created by Bob Menschel May 31 2004 +#ham SARE_FREE_WEBM_CZSEZNA Confirmed (2) by JH +#counts SARE_FREE_WEBM_CZSEZNA 41s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_CZSEZNA 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_CZSEZNA 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_CZSEZNA 91s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_CZSEZNA 186s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_CZSEZNA 7s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_LAPOSTE From =~ /\@laposte\.net/i +describe SARE_FREE_WEBM_LAPOSTE Maybe spammer with free email +score SARE_FREE_WEBM_LAPOSTE 0.721 +#hist SARE_FREE_WEBM_LAPOSTE Created by Bob Menschel May 31 2004 +#counts SARE_FREE_WEBM_LAPOSTE 108s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_LAPOSTE 1s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_LAPOSTE 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FREE_WEBM_LAPOSTE 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_LAPOSTE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_Purin From =~ /\bpurinmail\.com/i +describe SARE_FREE_WEBM_Purin Sender used free email account - may be spammer +score SARE_FREE_WEBM_Purin 0.650 +#hist SARE_FREE_WEBM_Purin Created by Bob Menschel Mar 26 2004 +#counts SARE_FREE_WEBM_Purin 12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_FREE_WEBM_Purin 15s/0h of 125163 corpus (104972s/20191h) 03/28/04 +#counts SARE_FREE_WEBM_Purin 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Purin 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_Purin 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FREE_WEBM_Purin 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_Purin 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_RuMail From =~ /\@mail\.ru/i +describe SARE_FREE_WEBM_RuMail Sender used free email account - may be spammer +score SARE_FREE_WEBM_RuMail 0.671 +#counts SARE_FREE_WEBM_RuMail 740s/36h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_RuMail 15s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FREE_WEBM_RuMail 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_RuMail 11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_RuMail 27s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_RuMail 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_RuMail 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_RuMail 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_Smapxsm From =~ /\bsmapxsmap\.net/i +describe SARE_FREE_WEBM_Smapxsm Sender used free email account - may be spammer +score SARE_FREE_WEBM_Smapxsm 0.667 +#counts SARE_FREE_WEBM_Smapxsm 12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Smapxsm 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Smapxsm 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_Smapxsm 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_Smapxsm 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FREE_WEBM_Smapxsm 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_Smapxsm 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_SURIML From =~ /\bsurimail\.com/i +describe SARE_FREE_WEBM_SURIML Sender used free email account - may be spammer +score SARE_FREE_WEBM_SURIML 0.555 +#hist SARE_FREE_WEBM_SURIML Created by Bob Menschel June 12 2004 +#counts SARE_FREE_WEBM_SURIML 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_SURIML 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_LONG MESSAGEID =~ /<.{135,}>/ +describe SARE_MSGID_LONG Message ID is too long. +score SARE_MSGID_LONG 0.202 +#ham SARE_MSGID_LONG confirmed (1) +#hist SARE_MSGID_LONG Jesse Houwing, August 20 2004 +#counts SARE_MSGID_LONG 18s/13h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_MSGID_LONG 97s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_MSGID_LONG 29s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_LONG 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_MSGID_LONG 7s/0h of 34763 corpus (18647s/16116h MY) 08/25/04 +#counts SARE_MSGID_LONG 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MSGID_LONG 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_LONG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_MSGID_LONG40 MESSAGEID =~ /[a-z0-9\$]{40}/ +meta SARE_MSGID_LONG40 __SARE_MSGID_LONG40 && !__SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75 +describe SARE_MSGID_LONG40 Message ID has suspicious length +score SARE_MSGID_LONG40 0.637 +#hist SARE_MSGID_LONG40 Created by Frederic Tarasevicius +#counts SARE_MSGID_LONG40 132s/12h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_MSGID_LONG40 350s/5h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_MSGID_LONG40 67s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_MSGID_LONG40 10s/1h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_MSGID_LONG40 45s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_MSGID_LONG40 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MSGID_LONG40 29s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_LONG40 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_MSGID_LONG45 MESSAGEID =~ /[a-z0-9\$]{45}/ +meta SARE_MSGID_LONG45 __SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75 +describe SARE_MSGID_LONG45 Message ID has suspicious length +score SARE_MSGID_LONG45 0.893 +#hist SARE_MSGID_LONG45 Created by Frederic Tarasevicius +#counts SARE_MSGID_LONG45 450s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MSGID_LONG45 7s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_MSGID_LONG45 28s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_MSGID_LONG45 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_MSGID_LONG45 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_LONG45 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_EQ_CUST X-Spam-Relays-Untrusted =~ /helo=\S*\.customer/i +score SARE_HELO_EQ_CUST 0.122 +#ham SARE_HELO_EQ_CUST MyCheckFree, billpay@billpay.bankofamerica.com, +#hist SARE_HELO_EQ_CUST Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_CUST 108s/42h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_CUST 27s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_CUST 23s/6h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_HELO_EQ_CUST 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HELO_EQ_CUST 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_SENDER Received =~ /helo=sender/i +describe SARE_HELO_SENDER Received header has possible spamsign +score SARE_HELO_SENDER 0.486 +#hist SARE_HELO_SENDER Originally submitted by Bob Menschel. RM.hr_HeloSender +#ham SARE_HELO_SENDER American Express email to online business accepting their cards +#counts SARE_HELO_SENDER 33s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HELO_SENDER 33s/3h of 60630 corpus (35509s/25121h RM) 08/11/04 +#counts SARE_HELO_SENDER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HELO_SENDER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_SENDER 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HELO_SENDER 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HELO_SENDER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_SERVER Received =~ /\(helo=server\)/i +describe SARE_HELO_SERVER Received header has possible spamsign +score SARE_HELO_SERVER 0.722 +#ham SARE_HELO_SERVER confirmed (4): "opt-in" messages from Canon, ASDS Computer Co. software registration confirmation +#counts SARE_HELO_SERVER 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HELO_SERVER 104s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_HELO_SERVER 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HELO_SERVER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_SERVER 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HELO_SERVER 8s/3h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HELO_SERVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_CHAR_CARAT Received =~ /\^/ +describe SARE_RECV_CHAR_CARAT Received header has apparently invalid character +score SARE_RECV_CHAR_CARAT 0.619 +#ham SARE_RECV_CHAR_CARAT confirmed (1) +#hist SARE_RECV_CHAR_CARAT Created by Bob Menschel May 3 2004 +#counts SARE_RECV_CHAR_CARAT 23s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_CHAR_CARAT 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_INFOSAT Received =~ /\binfosat\.(?:com|net)/ +describe SARE_RECV_INFOSAT Email passed through apparent spammer domain +score SARE_RECV_INFOSAT 0.618 +#counts SARE_RECV_INFOSAT 37s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_INFOSAT 484s/35h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_INFOSAT 18s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_INFOSAT 17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_INFOSAT 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_INFOSAT 2s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_SPAM_DOMN03 Received =~ /\b(?:takas)\.lt/ +describe SARE_RECV_SPAM_DOMN03 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN03 0.646 +#counts SARE_RECV_SPAM_DOMN03 56s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN03 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_SPAM_DOMN03 7s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_SPAM_DOMN03 3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN03 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_DOMN03 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN03 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_SPAM_DOMN07 Received =~ /\bnoos\.fr/ +describe SARE_RECV_SPAM_DOMN07 Spam passed through noos.fr relay +score SARE_RECV_SPAM_DOMN07 0.615 +#counts SARE_RECV_SPAM_DOMN07 370s/44h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN07 40s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN07 55s/1h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_SPAM_DOMN07 18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_SPAM_DOMN07 8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_SPAM_NAME1 Received =~ /\bHINET-IP/i +describe SARE_RECV_SPAM_NAME1 Email passed through probable spammer relay +score SARE_RECV_SPAM_NAME1 0.614 +#counts SARE_RECV_SPAM_NAME1 349s/35h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_NAME1 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_NAME1 11s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#max SARE_RECV_SPAM_NAME1 15s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_SPAM_NAME1 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_NAME1 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_NAME1 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_SPAM_NAME2 Received =~ /\bnetvigator\.com/ +describe SARE_RECV_SPAM_NAME2 Spam passed through netvigator.com system +score SARE_RECV_SPAM_NAME2 0.393 +#hist SARE_RECV_SPAM_NAME2 Created by Bob Menschel June 9 2004 +#ham SARE_RECV_SPAM_NAME2 Appropriate (probably not spam) UCE via TradeEasy to CW.com, 3 in 2003, 1 in 2004 +#counts SARE_RECV_SPAM_NAME2 155s/24h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_NAME2 19s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_NAME2 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_RECV_SPAM_NAME2 5s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_SPAM_NAME2 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_NAME2 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +header SARE_RECV_IP_066111 Received =~ /\[66\.111\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066111 Passed through possible spammer relay or source +score SARE_RECV_IP_066111 0.347 +#ham SARE_RECV_IP_066111 confirmed (1) +#note SARE_RECV_IP_066111 WebHostPlus +#hist SARE_RECV_IP_066111 Created by Bob Menschel Nov 27 2004 +#counts SARE_RECV_IP_066111 38s/7h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066111 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_066111 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_066111 90s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066111 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066111 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_069194 Received =~ /from \[62\.19[45]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_069194 Spam passed through possible spammer relay +score SARE_RECV_IP_069194 1.666 +#stype SARE_RECV_IP_069194 spamp +#counts SARE_RECV_IP_069194 14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_069194 213s/0h of 106584 corpus (86917s/19667h) 03/13/04 +#counts SARE_RECV_IP_069194 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_069194 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_069194 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_069194 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_080032 Received =~ /\[80\.32\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080032 Spam passed through possible spammer relay +score SARE_RECV_IP_080032 0.615 +#ham SARE_RECV_IP_080032 confirmed (1) +#hist SARE_RECV_IP_080032 Created by Bob Menschel Apr 28 2004 +#counts SARE_RECV_IP_080032 30s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080032 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_IP_080032 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_080032 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_080032 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_080032 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_080032 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_IP_080040 Received =~ /\[80\.4[1-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080040 Spam passed through possible spammer relay +score SARE_RECV_IP_080040 0.456 +#ham SARE_RECV_IP_080040 confirmed (6) +#hist SARE_RECV_IP_080040 Created by Bob Menschel June 7 2004 +#counts SARE_RECV_IP_080040 298s/21h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080040 11s/18h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_080040 14s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_080040 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_080040 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_080040 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_080178 Received =~ /\[80\.17[89]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080178 Spam passed through possible spammer relay +score SARE_RECV_IP_080178 0.391 +#ham SARE_RECV_IP_080178 Family email from Israel +#counts SARE_RECV_IP_080178 409s/60h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080178 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_080178 21s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_080178 11s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_080178 11s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_080178 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_080178 1s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_222126 Received =~ /\[222\.126\.(?:\d{1,2}|1[01]\d|12[0-7])\.\d{1,3}\]/ +describe SARE_RECV_IP_222126 Passed through possible spammer relay or source +score SARE_RECV_IP_222126 0.612 +#note SARE_RECV_IP_222126 Infocom, Makati City, PH +#hist SARE_RECV_IP_222126 Created by Bob Menschel Dec 01 2004 +#counts SARE_RECV_IP_222126 37s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222126 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_222126 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_222126 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_222126 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222126 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Reply-To Rules +######## ###################### ################################################## + +header SARE_REPLY_SPAMWORD2 Reply-To =~ /(?:amateur|funny|interacia)/i +describe SARE_REPLY_SPAMWORD2 Reply-To email addr incl spam indicator word +score SARE_REPLY_SPAMWORD2 0.486 +#ham SARE_REPLY_SPAMWORD2 confrmed (1) +#counts SARE_REPLY_SPAMWORD2 10s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_REPLY_SPAMWORD2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_REPLY_SPAMWORD2 1s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_REPLY_SPAMWORD2 25s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_REPLY_SPAMWORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_REPLY_SPAMWORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE TO & CC Rules +######## ###################### ################################################## + +header SARE_TOCC_SLASHES ToCc =~ m'//' +describe SARE_TOCC_SLASHES Spam sign: double slashes in To/Cc headers +score SARE_TOCC_SLASHES 0.111 +#counts SARE_TOCC_SLASHES 4s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_TOCC_SLASHES 9s/0h of 85901 corpus (63701s/22200h RM) 06/05/04 +#counts SARE_TOCC_SLASHES 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_SLASHES 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_SLASHES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_SLASHES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_BULK3a X-Mailer =~ /Foxmail/i +describe SARE_XMAIL_BULK3a Uses bulk mailer used by spammers +score SARE_XMAIL_BULK3a 0.735 +#ham SARE_XMAIL_BULK3a ham from 2003 from China, "Foxmail 4.[12] \[cn\]", same as found in spam +#hist SARE_XMAIL_BULK3a Bob Menschel: PSS Bulk Mailer, Calypso +#counts SARE_XMAIL_BULK3a 2166s/65h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_BULK3a 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_XMAIL_BULK3a 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_XMAIL_BULK3a 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_XMAIL_BULK3a 4s/1h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_XMAIL_BULK3a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_BULK3a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +#todo SARE_XMAIL_BULK5 Add test for BSP-Trusted. +header SARE_XMAIL_BULK5 X-Mailer =~ /(?:Roving Constant Contact)/i +describe SARE_XMAIL_BULK5 Uses ham mailer, sometimes abused +score SARE_XMAIL_BULK5 0.648 +#hist SARE_XMAIL_BULK5 Bob Menschel: Roving Constant Contact +#counts SARE_XMAIL_BULK5 1641s/90h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_XMAIL_BULK5 1900s/67h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_XMAIL_BULK5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_XMAIL_BULK5 0s/3h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_XMAIL_BULK5 0s/3h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_XMAIL_BULK5 3s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_BULK5 0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_XMAIL_LCDD X-Mailer=~/^[a-z]+ \d\.\d$/ +describe SARE_XMAIL_LCDD Ratware mailer +score SARE_XMAIL_LCDD 0.642 +#ham SARE_XMAIL_LCDD X-Mailer: reportbug 3.8, tlmpmail 0.9 +#counts SARE_XMAIL_LCDD 134s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_XMAIL_LCDD 172s/0h of 33004 corpus (9761s/23243h RM) 05/21/04 +#counts SARE_XMAIL_LCDD 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_XMAIL_LCDD 31s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_XMAIL_LCDD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_LCDD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_LCDD 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_XMAIL_SUSP3 X-Mailer=~ /^(?:[a-z\-]+\s+[a-z\-]+(?:,\s+[a-z\-]+)?|[a-z\-]+ \d\.\d)$/ +meta SARE_XMAIL_SUSP3 __SARE_XMAIL_SUSP3 && !SARE_XMAIL_LCDD +describe SARE_XMAIL_SUSP3 Contains a suspicious X-Mailer header +score SARE_XMAIL_SUSP3 1.208 +#hist SARE_XMAIL_SUSP3 Jesse Houwing, SARE_TM2_RW_XM +#hist SARE_XMAIL_SUSP3 Modified to meta to avoid overlap with SARE_XMAIL_LCDD; must be in same file as LCDD +#ham SARE_XMAIL_SUSP3 "a script" from macromedia.com +#counts SARE_XMAIL_SUSP3 137s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_XMAIL_SUSP3 505s/1h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_XMAIL_SUSP3 97s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_XMAIL_SUSP3 291s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_XMAIL_SUSP3 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_XMAIL_SUSP3 49s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_XMAIL_SUSP3 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_XMAIL_SUSP3 10s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_XMAIL_SUSP3 0s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#max SARE_XMAIL_SUSP3 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_DATE39 Date =~ /^.{39}$/ +describe SARE_HEAD_DATE39 Date header suggests this is spam +score SARE_HEAD_DATE39 0.660 +#counts SARE_HEAD_DATE39 151s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_DATE39 264s/3h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_DATE39 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_DATE39 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE39 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE39 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_DATE61 Date =~ /^.{57,61}$/ +score SARE_HEAD_DATE61 -1.000 +tflags SARE_HEAD_DATE61 nice +#stype SARE_HEAD_DATE61 ham +#counts SARE_HEAD_DATE61 0s/72h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE61 0s/5h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_DATE61 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE61 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE61 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_DATE_ADDED Date =~ /\(added by/ +describe SARE_HEAD_DATE_ADDED Original email had no date - added by later system +score SARE_HEAD_DATE_ADDED 0.139 +#ham SARE_HEAD_DATE_ADDED technical notification email from att.com +#counts SARE_HEAD_DATE_ADDED 3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_DATE_ADDED 21s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_DATE_ADDED 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_DATE_ADDED 0s/1h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_DATE_ADDED 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE_ADDED 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_HEAD_DATE_L1a Date =~ /.{50}/ +header __SARE_HEAD_DATE_L1b Date =~ /added by/ +meta SARE_HEAD_DATE_LONG1 __SARE_HEAD_DATE_L1a && !__SARE_HEAD_DATE_L1b +describe SARE_HEAD_DATE_LONG1 Date header has interesting length +score SARE_HEAD_DATE_LONG1 -0.500 +tflags SARE_HEAD_DATE_LONG1 nice +#stype SARE_HEAD_DATE_LONG1 ham +#hist SARE_HEAD_DATE_LONG1 Developed by Bob Menschel from rule by Frederic Tarasevicius +#hist SARE_HEAD_DATE_LONG1 Reduce spam hits, Oct 13 2005, Bob Menschel +#counts SARE_HEAD_DATE_LONG1 97s/3020h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE_LONG1 2s/25h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_DATE_LONG1 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_DATE_LONG1 0s/3h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_DATE_LONG1 0s/28h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_XCOM_RFCMIN X-Comment =~ /Sending client does not conform to RFC822 minimum requirements/i +describe SARE_HEAD_XCOM_RFCMIN AT&T Maillennium does not like this email +score SARE_HEAD_XCOM_RFCMIN 0.555 +#ham SARE_HEAD_XCOM_RFCMIN confirmed (2) +#hist SARE_HEAD_XCOM_RFCMIN Created by Bob Menschel Sep 05 2004 +#counts SARE_HEAD_XCOM_RFCMIN 3s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XCOM_RFCMIN 3s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 19447 corpus (16862s/2585h MY) 09/05/04 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_HDRS ALL =~ /[\x80-\xff]{3,}/ +header SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2') +#note SUBJ_ILLEGAL_CHARS Standard SpamAssassin rule/test +#counts __SARE_HEAD_8BIT_HDRS 14742s/63h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_HDRS 1297s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_HDRS 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +header __SARE_HEAD_8BIT_RPLY Reply-To =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_RPLY 6259s/9h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_RPLY 728s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_RPLY 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +header __SARE_HEAD_8BIT_FROM From =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_FROM 8565s/23h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_FROM 1823s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_FROM 2s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 + +meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_DATE && !__SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ +describe SARE_HEAD_8BIT_NOSPM Header with 8-bit char suggests spam +score SARE_HEAD_8BIT_NOSPM 0.385 +#hist SARE_HEAD_8BIT_NOSPM June 18 2005, Bob Menschel: Added exclusion for subject header +#counts SARE_HEAD_8BIT_NOSPM 593s/85h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HEAD_8BIT_NOSPM 164s/80h of 268479 corpus (127479s/141000h RM) 06/17/05 +#counts SARE_HEAD_8BIT_NOSPM 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_NOSPM && !SARE_HEAD_8BIT_DATE && !SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ +describe SARE_HEAD_8BIT_SPAM High-ascii characters found in strange header +score SARE_HEAD_8BIT_SPAM 1.666 +#hist SARE_HEAD_8BIT_SPAM From Bugzilla # 2243 +#hist SARE_HEAD_8BIT_SPAM June 18 2005, Bob Menschel: Added exclusion for subject header +#todo%%% SARE_HEAD_8BIT_SPAM Analysis on avoiding the ham + +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_SUBJ && !SUBJ_ILLEGAL_CHARS +describe SARE_HEAD_8BIT_SPAM High-ascii characters found in subject header +score SARE_HEAD_8BIT_SPAM 0.888 +#hist SARE_HEAD_8BIT_SPAM Bob Menschel implementation, June 17 2005 +#counts SARE_HEAD_8BIT_SPAM 7948s/130h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_SPAM 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HEAD_8BIT_SPAM 1s/2h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_HEAD_8BIT_SPAM 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +# EOF + diff --git a/common/sare/70_sare_header0.cf b/common/sare/70_sare_header0.cf new file mode 100644 index 0000000..07b7a81 --- /dev/null +++ b/common/sare/70_sare_header0.cf @@ -0,0 +1,1742 @@ +# SARE Header Abuse Ruleset for SpamAssassin -- file 0 +# Version: 01.03.21 +# Created: 2004-04-25 +# Modified: 2006-05-21 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.17 May 11 2006 +#@@# Minor score updates based on additional mass-check +#@@# Added to file 0: SARE_HEAD_FAKEPGP, SARE_HELO_GMAILSMTP +#@@# Mod: SARE_FROM_SPAM_NAME2A Added boundary to regex pattern +#@@# Modified "rule has been moved" meta flags +#@@# Modified SARE_FROM_BADAOL Added cs.com to __SARE_FROM_GOODAOL, Bob Menschel 11/11/05, suggested by Gabriel Billington +#@@# Modified SARE_FROM_SPAM_NAME2 removed "funpage" entry +#@@# Modified SARE_FROM_WSJ to avoid real WSJ emails +#@@# Modified SARE_HEAD_HDR_XGMXAV Added test: not passed through GMX system, suggested by Wolfgang Zeikat, Nov 2005 +#@@# Moved file 0 to file 1: SARE_FREE_WEBM_EsTerra +#@@# Moved file 0 to file 1: SARE_HEAD_DATE46 +#@@# Moved file 0 to file 1: SARE_HEAD_HDR_XEMAIL +#@@# Moved file 0 to file 1: SARE_RECV_IP_063106130 +#@@# 01.03.18 May 15 006 +#@@# Minor score updates based on additional mass-check +#@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A +#@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_CONVER +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_NLETRID +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_PID +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XBNCETR +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XGMAILA +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XIDSRVR +#@@# Moved file 0 to file 2 SARE_BOUNDARY_02 +#@@# Moved file 0 to file 2 SARE_BOUNDARY_ANYDIG +#@@# Moved file 0 to file 2 SARE_BOUNDARY_D11 +#@@# Moved file 0 to file 2 SARE_FROM_SPAM_NAME2 +#@@# Moved file 0 to file 2 SARE_FROM_WSJ +#@@# Moved file 0 to file 2 SARE_MSGID_HEX30 +#@@# Moved file 0 to file 2 SARE_HELO_MAILUSER +#@@# Moved file 0 to file 2 SARE_RECV_LOCALHOST +#@@# Moved file 0 to file 2 SARE_RECV_SUSP_2 +#@@# Moved file 0 to file 2 SARE_RECV_TRADVALUES +#@@# Moved file 0 to file 2 SARE_RECV_VIPLIST +#@@# Moved file 0 to file 2 SARE_RECV_XACTRIX +#@@# Moved file 0 to file 2 SARE_RECV_IP_004078 +#@@# Moved file 0 to file 2 SARE_RECV_IP_038112147 +#@@# Moved file 0 to file 2 SARE_RECV_IP_064069032 +#@@# Moved file 0 to file 2 SARE_RECV_IP_064192082 +#@@# Moved file 0 to file 2 SARE_RECV_IP_066063 +#@@# Moved file 0 to file 2 SARE_RECV_IP_066114a +#@@# Moved file 0 to file 2 SARE_RECV_IP_066159017 +#@@# Moved file 0 to file 2 SARE_RECV_IP_069060122 +#@@# Moved file 0 to file 2 SARE_RECV_IP_070096177 +#@@# Moved file 0 to file 2 SARE_RECV_IP_207182 +#@@# Moved file 0 to file 2 SARE_RECV_IP_208048182 +#@@# Moved file 0 to file 2 SARE_RECV_IP_216055133 +#@@# Moved file 0 to file 2 SARE_REPLY_XACTRIX +#@@# Moved file 0 to file 2 SARE_XMAIL_DIRUNIV +#@@# Moved file 0 to file 2 SARE_XMAIL_INTERMED +#@@# Moved file 0 to file 2 SARE_XMAIL_LEO +#@@# Moved file 0 to file 2 SARE_XMAIL_PHPBulkEmai +#@@# Moved file 0 to file 2 SARE_HEAD_THRD_ALNUM +#@@# Moved file 0 to file 2 SARE_HEAD_XM4 +#@@# Moved file 0 to file 2 SARE_HEAD_XMF_AUTHSNDR +#@@# Moved file 0 to file 2 SARE_HEAD_BDY_BOUNCES %%% OR ARCHIVE +#@@# Moved file 0 to file 2 SARE_MULT_SEXCLUB +#@@# Moved file 0 to file 2 SARE_MULT_SUBJ +#@@# 01.03.19 May 16 2005 +#@@# Corrected lint errors caused by bad cut/paste +#@@# 01.03.20 May 20 2005 +#@@# Modified and renamed SARE_HEAD_HDR_AUTSUBD to SARE_HEAD_HDR_RMD +#@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD +#@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR +#@@# Moved file 1 to file 0 SARE_RECV_IP_209190 +#@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID +#@@# Returned file 1 to file 0 SARE_RECV_IP_163125 +#@@# Returned file 2 to file 0 SARE_RECV_IP_063111025 +#@@# Returned file 2 to file 0 SARE_HEAD_HDR_EPATH +#@@# 01.03.21 May 21 2005 +#@@# Minor repairs to "downgraded rule" metas. + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_header0.cf +# +# Usage: This family of files, 70_sare_header*.cf, contain rules that test email headers +# (except the Subject header, which is handled in the 70_sare_genlsubj*.cf family of files). +# +# File 0: 70_sare_header0.cf -- These are header rules that hit at least 10 spam and no ham. +# While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham. +# This is a rules file we expect any/all email systems using SpamAssassin to benefit from. +# +# File 1: 70_sare_header1.cf -- These are header rules that meet one of the follow criteria: +# a) Rules that do, or in the past have hit ham during SARE mass-check tests +# b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run. +# If the rules hit ham, they hit at last 10 spam to each 1 ham. +# With few exceptions these rules score significantly less than the rules in file 0. +# Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset, +# pick and choose among its rules, or lower their scores. +# Systems that use this file 1 should ALSO use file 0. +# +# File 2: 70_sare_header2.cf -- These header rules hit no spam at this time, but they are considered "safe" rules that should never hit ham. +# These are primarily rules that test for specific headers seen only in spam, or similar types of "pretty darn sure" rules. +# Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead, +# but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file. +# +# File 3: 70_sare_header3.cf -- These are header rules that hit a significant amount of ham during SARE mass-check tests. +# Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# File 4: 70_sare_header4.cf -- These are header rules that meet one of the following criteria: +# a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems. +# b) They hit no emails at this time, but have been recommended by anti-spam sources (such as rules developed from Spam-L list reports). +# Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# eng: 70_sare_header_eng.cf -- These are header rules which work well within the English language, but are liable to cause false +# positives in other languages. They include rules which test for letter combinations and encoded header headers. Systems that +# receive ham in languages other than English should NOT use this file. +# +# x264_x30: 70_sare_header_x264_x30.cf -- These are header rules which have been incorporated into both SpamAssassin 2.64 and 3.0.x, +# or which duplicate or greatly overlap both 3.0.x rules. +# Systems which have installed SpamAssassin version 2.64 or 3.0.x should therefore NOT use this file. +# +# x30: 70_sare_header_x30.cf -- These are header rules which have been incorporated into SpamAssassin 3.0.x, +# or which duplicate or greatly overlap 3.0.x rules. +# Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file. +# +# arc: 70_sare_header_arc.cf -- These are header rules that once were published in other files, but which have since lost all value. +# They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam. +# SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but +# we expect that nobody will be running these rules in any production system. + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_SUBJ 17149s/110h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_SUBJ 3478s/2h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_SUBJ 2s/1h of 26190 corpus (22790s/3400h MY) 02/15/05 + +######## ###################### ################################################## +# Meta rules used to prevent --lint errors after moving/changing rules +######## ###################### ################################################## + +meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM +meta SARE_HEAD_HDR_APPROV __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_DISCREC __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XENC __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XENVID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMAILID __SARE_HEAD_FALSE +meta SARE_FROM_PRINTER __SARE_HEAD_FALSE +meta SARE_FROM_DEBT __SARE_HEAD_FALSE +meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_Jpop __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_NETCITY __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_ZCom03 __SARE_HEAD_FALSE +meta SARE_MSGID_LONG __SARE_HEAD_FALSE +meta SARE_HELO_YAHOO __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN0a __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN02 __SARE_HEAD_FALSE +meta SARE_RECV_VIRTUACOMBR __SARE_HEAD_FALSE +meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE +meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE +meta SARE_RECV_IP_082154 __SARE_HEAD_FALSE +meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE +meta SARE_RECV_IP_200150 __SARE_HEAD_FALSE +meta SARE_RECV_IP_218216 __SARE_HEAD_FALSE +meta SARE_RECV_IP_222000 __SARE_HEAD_FALSE +meta SARE_RECV_IP_222126 __SARE_HEAD_FALSE +meta SARE_XMAIL_PSSMAILER __SARE_HEAD_FALSE +meta SARE_XMAIL_RLSP __SARE_HEAD_FALSE +meta SARE_MULT_VIA_CITIZNET __SARE_HEAD_FALSE +meta SARE_FROM_SUPPORT_DIG __SARE_HEAD_FALSE +meta SARE_TOCC_BCC_MANY __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XAR __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XNOSPAM __SARE_HEAD_FALSE +meta SARE_FROM_QUOTE __SARE_HEAD_FALSE +meta SARE_FROM_SPACE2 __SARE_HEAD_FALSE +meta SARE_MSGID_EMPTY __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN81 __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_NAME0 __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_NAME0 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XAUTOGN __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMLFILT __SARE_HEAD_FALSE +meta SARE_HELO_MAIL __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XACWGHT __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMCAVTP __SARE_HEAD_FALSE +meta SARE_USERAG_Dig __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XUNOLOOK __SARE_HEAD_FALSE +meta SARE_MSGID_2KDD __SARE_HEAD_FALSE +meta SARE_REPLY_SPAMWORD0 __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_WORD0 __SARE_HEAD_FALSE +meta SARE_TOCC_COMBO1 __SARE_HEAD_FALSE +meta SARE_FROM_UK2NET2 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_NetSafe __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_ZCom02 __SARE_HEAD_FALSE +meta SARE_RECV_SKANOVA __SARE_HEAD_FALSE +meta SARE_RECV_IP_061050 __SARE_HEAD_FALSE +meta SARE_RECV_IP_140117 __SARE_HEAD_FALSE +meta SARE_RECV_IP_211216 __SARE_HEAD_FALSE +meta SARE_TO_EMPTY __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN3 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_D8 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XCONTAC __SARE_HEAD_FALSE +meta SARE_RECV_IP_066114b __SARE_HEAD_FALSE +meta SARE_BOUNDARY_05 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_06 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_ZZa001 __SARE_HEAD_FALSE +meta SARE_FROM_CAPS_MSN __SARE_HEAD_FALSE +meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_PL1 __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_DATE __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE +meta SARE_HEAD_DATE14 __SARE_HEAD_FALSE +meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE +meta SARE_HELO_SERVER __SARE_HEAD_FALSE +meta SARE_MSGID_D1D1D2D16 __SARE_HEAD_FALSE +meta SARE_RECV_BEZEQINT_B __SARE_HEAD_FALSE +meta SARE_RECV_IP_061072 __SARE_HEAD_FALSE +meta SARE_RECV_IP_061190 __SARE_HEAD_FALSE +meta SARE_RECV_IP_061228 __SARE_HEAD_FALSE +meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE +meta SARE_RECV_IP_192116 __SARE_HEAD_FALSE +meta SARE_RECV_IP_203177 __SARE_HEAD_FALSE +meta SARE_RECV_IP_218078 __SARE_HEAD_FALSE +meta SARE_RECV_IP_221124 __SARE_HEAD_FALSE +meta SARE_RECV_IP_222064 __SARE_HEAD_FALSE +meta SARE_RECV_ISWEST __SARE_HEAD_FALSE +meta SARE_RECV_PATMEDIA __SARE_HEAD_FALSE +meta SARE_BOUNDARY_NP2 __SARE_HEAD_FALSE +meta SARE_CONTENT_BITBITNUM __SARE_HEAD_FALSE +meta SARE_FROM_VIRUS1 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_JLH __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_RTNPATH __SARE_HEAD_FALSE +meta SARE_MULT_RATW_03 __SARE_HEAD_FALSE +meta SARE_RECV_IP_064192191 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_D10 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMLRSRV __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE +meta SARE_MSGID_LONG50 __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN04 __SARE_HEAD_FALSE +meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_RECV __SARE_HEAD_FALSE +meta SARE_RECV_FEP5 __SARE_HEAD_FALSE +meta SARE_RECV_IP_203210128 __SARE_HEAD_FALSE +meta SARE_RECV_SPAM_DOMN06 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_ZCom05 __SARE_HEAD_FALSE +meta SARE_HEAD_XUNSENT __SARE_HEAD_FALSE +meta SARE_RECV_IP_069050210 __SARE_HEAD_FALSE +meta SARE_RECV_IP_206131 __SARE_HEAD_FALSE +meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE +meta SARE_RECV_PORTHELO_1 __SARE_HEAD_FALSE +meta SARE_RECV_PORTHELO_2 __SARE_HEAD_FALSE +meta SARE_RECV_PORTHELO_3 __SARE_HEAD_FALSE +meta SARE_RECV_CHAR_CARAT __SARE_HEAD_FALSE +meta SARE_MULT_RATW_02 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_LC __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_FrVoila __SARE_HEAD_FALSE +meta SARE_RECV_IP_066165224 __SARE_HEAD_FALSE +meta SARE_RECV_IP_218088 __SARE_HEAD_FALSE +meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE +meta SARE_RECV_RANDOM __SARE_HEAD_FALSE +meta SARE_BOUNDARY_LC __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_FrVoila __SARE_HEAD_FALSE +meta SARE_HEAD_XWORD __SARE_HEAD_FALSE +meta SARE_RECV_IP_066165224 __SARE_HEAD_FALSE +meta SARE_RECV_IP_218088 __SARE_HEAD_FALSE +meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE +meta SARE_RECV_RANDOM __SARE_HEAD_FALSE +meta SARE_MULT_RATW_02 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE +meta SARE_RECV_IP_071004246 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE +meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE +meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE +meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_CONVER __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_NLETRID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_PID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XBNCETR __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XGMAILA __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XIDSRVR __SARE_HEAD_FALSE +meta SARE_BOUNDARY_02 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_ANYDIG __SARE_HEAD_FALSE +meta SARE_BOUNDARY_D11 __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_NAME2 __SARE_HEAD_FALSE +meta SARE_FROM_WSJ __SARE_HEAD_FALSE +meta SARE_MSGID_HEX30 __SARE_HEAD_FALSE +meta SARE_HELO_MAILUSER __SARE_HEAD_FALSE +meta SARE_RECV_LOCALHOST __SARE_HEAD_FALSE +meta SARE_RECV_SUSP_2 __SARE_HEAD_FALSE +meta SARE_RECV_TRADVALUES __SARE_HEAD_FALSE +meta SARE_RECV_VIPLIST __SARE_HEAD_FALSE +meta SARE_RECV_XACTRIX __SARE_HEAD_FALSE +meta SARE_RECV_IP_004078 __SARE_HEAD_FALSE +meta SARE_RECV_IP_038112147 __SARE_HEAD_FALSE +meta SARE_RECV_IP_064069032 __SARE_HEAD_FALSE +meta SARE_RECV_IP_064192082 __SARE_HEAD_FALSE +meta SARE_RECV_IP_066063 __SARE_HEAD_FALSE +meta SARE_RECV_IP_066114a __SARE_HEAD_FALSE +meta SARE_RECV_IP_066159017 __SARE_HEAD_FALSE +meta SARE_RECV_IP_069060122 __SARE_HEAD_FALSE +meta SARE_RECV_IP_070096177 __SARE_HEAD_FALSE +meta SARE_RECV_IP_207182 __SARE_HEAD_FALSE +meta SARE_RECV_IP_208048182 __SARE_HEAD_FALSE +meta SARE_RECV_IP_216055133 __SARE_HEAD_FALSE +meta SARE_REPLY_XACTRIX __SARE_HEAD_FALSE +meta SARE_XMAIL_DIRUNIV __SARE_HEAD_FALSE +meta SARE_XMAIL_INTERMED __SARE_HEAD_FALSE +meta SARE_XMAIL_LEO __SARE_HEAD_FALSE +meta SARE_XMAIL_PHPBulkEmai __SARE_HEAD_FALSE +meta SARE_HEAD_THRD_ALNUM __SARE_HEAD_FALSE +meta SARE_HEAD_XM4 __SARE_HEAD_FALSE +meta SARE_HEAD_XMF_AUTHSNDR __SARE_HEAD_FALSE +meta SARE_HEAD_BDY_BOUNCES __SARE_HEAD_FALSE +meta SARE_MULT_SEXCLUB __SARE_HEAD_FALSE +meta SARE_MULT_SUBJ __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_AUTSUBD __SARE_HEAD_FALSE + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_CONVWLS exists:Conversion-With-Loss +describe SARE_HEAD_HDR_CONVWLS Message headers used which identify spam +score SARE_HEAD_HDR_CONVWLS 1.111 +#stype SARE_HEAD_HDR_CONVWLS spamp +#hist SARE_HEAD_HDR_CONVWLS Returned from archive May 2006 +#counts SARE_HEAD_HDR_CONVWLS 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_CONVWLS 16s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_CONVWLS 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_CONVWLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_DISPNOP exists:Disposition-Notification-Options +describe SARE_HEAD_HDR_DISPNOP Message headers used which identify spam +score SARE_HEAD_HDR_DISPNOP 1.111 +#stype SARE_HEAD_HDR_DISPNOP spamp +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_DISPNOP 60s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_DISPNOP 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_DISPNOP 14s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_DISPNOP 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_DISPNOP 13s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_DISPNOP 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_DISPNOP 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_EPATH exists:Error-path +describe SARE_HEAD_HDR_EPATH Message headers used which identify spam +score SARE_HEAD_HDR_EPATH 1.111 +#stype SARE_HEAD_HDR_EPATH spamp +#counts SARE_HEAD_HDR_EPATH 0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#max SARE_HEAD_HDR_EPATH 4s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_EPATH 59s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_EPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_LANG exists:Language +describe SARE_HEAD_HDR_LANG Message headers used which identify spam +score SARE_HEAD_HDR_LANG 1.666 +#stype SARE_HEAD_HDR_LANG spamp +#counts SARE_HEAD_HDR_LANG 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_LANG 413s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_LANG 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_LANG 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_LANG 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_LANG 7s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_LANG 2s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_LANG 78s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_LANG 86s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_LANG 16s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_LANG 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_HEAD_HDR_LANG 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_HEAD_HDR_PREVNDR exists:Prevent-NonDelivery-Report +describe SARE_HEAD_HDR_PREVNDR Message headers used which identify spam +score SARE_HEAD_HDR_PREVNDR 1.666 +#stype SARE_HEAD_HDR_PREVNDR spamp +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_PREVNDR 129s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_PREVNDR 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_PREVNDR 21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_PREVNDR 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_PREVNDR 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_PREVNDR 3s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_PREVNDR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header __SARE_HEAD_HDR_RMDA exists:Auto-submitted +header __SARE_HEAD_HDR_RMDB exists:X-RMD-Text +meta SARE_HEAD_HDR_RMD __SARE_HEAD_HDR_RMDA && __SARE_HEAD_HDR_RMDB +describe SARE_HEAD_HDR_RMD Message headers used which identify spam +score SARE_HEAD_HDR_RMD 2.222 +#stype SARE_HEAD_HDR_RMD spamg +#counts SARE_HEAD_HDR_RMD 10s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_RMD 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_RMD 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_RMD 119s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_RMD 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HEAD_HDR_XCAMPIDZ exists:X-Campidz +describe SARE_HEAD_HDR_XCAMPIDZ Message headers used which identify spam +score SARE_HEAD_HDR_XCAMPIDZ 2.333 +#stype SARE_HEAD_HDR_XCAMPIDZ spamp +#counts SARE_HEAD_HDR_XCAMPIDZ 5s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XCAMPIDZ 2171s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 4s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XCAMPIDZ 226s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_HEAD_HDR_XCAMPIDZ 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_HEAD_HDR_XCLIHST exists:X-ClientHost +describe SARE_HEAD_HDR_XCLIHST Message headers used which identify spam +score SARE_HEAD_HDR_XCLIHST 2.999 +#stype SARE_HEAD_HDR_XCLIHST spamp +#counts SARE_HEAD_HDR_XCLIHST 338s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XCLIHST 7465s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCLIHST 136s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XCLIHST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCLIHST 320s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XCLIHST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_XCLIHST 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XCLIHST 667s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XCLIHST 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_HEAD_HDR_XCLIHST 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_HEAD_HDR_XE exists:X-E +describe SARE_HEAD_HDR_XE Message headers used which identify spam +score SARE_HEAD_HDR_XE 1.666 +#counts SARE_HEAD_HDR_XE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XE 810s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XE 264s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_XE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XE 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XE 3s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 + +header SARE_HEAD_HDR_XCSIP exists:X-CS-IP +describe SARE_HEAD_HDR_XCSIP Message headers used which identify spam +score SARE_HEAD_HDR_XCSIP 2.222 +#stype SARE_HEAD_HDR_XCSIP spamp +#hist SARE_HEAD_HDR_XCSIP FH_HAS_CS_IP +#counts SARE_HEAD_HDR_XCSIP 5s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XCSIP 590s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XCSIP 5s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XCSIP 1s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_XCSIP 98s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_XCSIP 9s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XCSIP 26s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XCSIP 101s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XCSIP 127s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_HEAD_HDR_XCSIP 48s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XCSIP 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_HEAD_HDR_XCSIP 136s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XENCVER exists:X-Encoding-Version +describe SARE_HEAD_HDR_XENCVER Message headers used which identify spam +score SARE_HEAD_HDR_XENCVER 2.222 +#stype SARE_HEAD_HDR_XENCVER spamp +#counts SARE_HEAD_HDR_XENCVER 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XENCVER 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XENCVER 441s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XENCVER 317s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XENCVER 86s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XENCVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XFIND exists:X-Find +describe SARE_HEAD_HDR_XFIND Message headers used which identify spam +score SARE_HEAD_HDR_XFIND 2.222 +#stype SARE_HEAD_HDR_XFIND spamp +#counts SARE_HEAD_HDR_XFIND 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XFIND 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XFIND 441s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XFIND 317s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XFIND 86s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XFIND 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header __SARE_HEAD_HDR_XGMXAV exists:X-GMX-Antivirus +header __SARE_HEAD_RECV_GMX Received =~ m'\bgmx\.net' +meta SARE_HEAD_HDR_XGMXAV __SARE_HEAD_HDR_XGMXAV && !__SARE_HEAD_RECV_GMX +describe SARE_HEAD_HDR_XGMXAV Message headers used which identify spam +score SARE_HEAD_HDR_XGMXAV 1.666 +#hist SARE_HEAD_HDR_XGMXAV Added test: not passed through GMX system, suggested by Wolfgang Zeikat, Nov 2005 +#counts SARE_HEAD_HDR_XGMXAV 146s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XGMXAV 199s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XGMXAV 6s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_HEAD_HDR_XGMXAV 26s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_HEAD_HDR_XGMXAV 490s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XGMXAV 32s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XGMXAV 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XGMXAV 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XGMXAV 304s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XGMXAV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XGMXAV 33s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XLISTAD exists:X-LISTADDRESS +describe SARE_HEAD_HDR_XLISTAD Message headers used which identify spam +score SARE_HEAD_HDR_XLISTAD 1.111 +#stype SARE_HEAD_HDR_XLISTAD spamp +#counts SARE_HEAD_HDR_XLISTAD 12s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XLISTAD 46s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLISTAD 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLISTAD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRMDTXT exists:X-RMD-Text +describe SARE_HEAD_HDR_XRMDTXT Message headers used which identify spam +score SARE_HEAD_HDR_XRMDTXT 1.111 +#stype SARE_HEAD_HDR_XRMDTXT spamp +#counts SARE_HEAD_HDR_XRMDTXT 10s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRMDTXT 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRMDTXT 21s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRMDTXT 118s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XRMDTXT 18s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRMDTXT 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XRMDTXT 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XRMVADR exists:X-Remove-Address +describe SARE_HEAD_HDR_XRMVADR Message headers used which identify spam +score SARE_HEAD_HDR_XRMVADR 1.111 +#stype SARE_HEAD_HDR_XRMVADR spamp +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRMVADR 42s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_HEAD_HDR_XRMVADR 18s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRMVADR 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XRMVADR 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_HDR_XRMVADR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XRSPCID exists:X-Responder-CID +describe SARE_HEAD_HDR_XRSPCID Message headers used which identify spam +score SARE_HEAD_HDR_XRSPCID 1.111 +#stype SARE_HEAD_HDR_XRSPCID spamp +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRSPCID 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XRSPCID 18s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPCID 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRSPCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XRSPRID exists:X-Responder-ID +describe SARE_HEAD_HDR_XRSPRID Message headers used which identify spam +score SARE_HEAD_HDR_XRSPRID 1.111 +#stype SARE_HEAD_HDR_XRSPRID spamp +#counts SARE_HEAD_HDR_XRSPRID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRSPRID 71s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRSPRID 19s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRSPRID 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XRSPRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#max SARE_HEAD_HDR_XRSPRID 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XRSPRID 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 + +header SARE_HEAD_HDR_XRSPUSR exists:X-Responder-USR +describe SARE_HEAD_HDR_XRSPUSR Message headers used which identify spam +score SARE_HEAD_HDR_XRSPUSR 1.111 +#stype SARE_HEAD_HDR_XRSPUSR spamp +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRSPUSR 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XRSPUSR 18s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRSPUSR 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XSPAMTST exists:X-SpamTest-Info +describe SARE_HEAD_HDR_XSPAMTST Message headers used which identify spam +score SARE_HEAD_HDR_XSPAMTST 1.111 +#stype SARE_HEAD_HDR_XSPAMTST spamp +#hist SARE_HEAD_HDR_XSPAMTST Bob Menschel, May 14, 2005 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XSPAMTST 57s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_HEAD_HDR_XSPAMTST 1s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPAMTST 7s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_XSPAMTST 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_HEAD_HDR_XSPTRID exists:X-SP-Track-ID +describe SARE_HEAD_HDR_XSPTRID Message headers used which identify spam +score SARE_HEAD_HDR_XSPTRID 1.666 +#stype SARE_HEAD_HDR_XSPTRID spamp +#hist SARE_HEAD_HDR_XSPTRID FH_XSPTRACK +#counts SARE_HEAD_HDR_XSPTRID 186s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XSPTRID 593s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSPTRID 340s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XSPTRID 42s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XSPTRID 44s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPTRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XTID exists:X-TID +describe SARE_HEAD_HDR_XTID Message headers used which identify spam +score SARE_HEAD_HDR_XTID 1.111 +#stype SARE_HEAD_HDR_XTID spamp +#hist SARE_HEAD_HDR_XTID Returned from file 1 to file 0, May 2006 +#counts SARE_HEAD_HDR_XTID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XTID 19s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_HEAD_HDR_XTID 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTID 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XTID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XUOLSRV exists:X-UOL-Srv +describe SARE_HEAD_HDR_XUOLSRV Message headers used which identify spam +score SARE_HEAD_HDR_XUOLSRV 1.111 +#stype SARE_HEAD_HDR_XUOLSRV spamp +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XUOLSRV 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XUOLSRV 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XWCMID exists:X-WCMailID +describe SARE_HEAD_HDR_XWCMID Message headers used which identify spam +score SARE_HEAD_HDR_XWCMID 2.222 +#counts SARE_HEAD_HDR_XWCMID 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XWCMID 1011s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XWCMID 1s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XWCMID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XWEBMTM exists:X-Webmail-Time +describe SARE_HEAD_HDR_XWEBMTM Message headers used which identify spam +score SARE_HEAD_HDR_XWEBMTM 1.666 +#stype SARE_HEAD_HDR_XWEBMTM spamp +#counts SARE_HEAD_HDR_XWEBMTM 12s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XWEBMTM 351s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_XWEBMTM 2s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XWEBMTM 2s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_XWEBMTM 41s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_XWEBMTM 13s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XWEBMTM 11s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XWEBMTM 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_XWEBMTM 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XWEBMTM 25s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_HDR_XWEBMTM 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_HEAD_HDR_XWEBMTM 78s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_03 Content-Type =~ /boundary="-{10}[A-F0-9]{20,}"/ +describe SARE_BOUNDARY_03 Content type boundary used in spam or virus +score SARE_BOUNDARY_03 1.666 +#stype SARE_BOUNDARY_03 spamp +#hist SARE_BOUNDARY_03 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_03 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_03 132s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_03 7s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_BOUNDARY_03 42s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_03 47s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_BOUNDARY_03 590s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_03 211s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_BOUNDARY_03 0s/0h of 13447 corpus (11336s/2111h MY) 06/02/04 + +header SARE_BOUNDARY_10 Content-Type =~ /boundary=\"----[a-z\d]{10}-[\w\.]+\"$/is +describe SARE_BOUNDARY_10 Possible spam flag +score SARE_BOUNDARY_10 2.333 +#hist SARE_BOUNDARY_10 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_10 2495s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_10 503s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_10 117s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_10 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_10 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_11 Content-Type =~ /boundary=\"--\d{2,7}-\d{2,7}-\d{2,7}\"/ +score SARE_BOUNDARY_11 1.344 +describe SARE_BOUNDARY_11 Possible spam flag +#hist SARE_BOUNDARY_11 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_11 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_11 125s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_BOUNDARY_11 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_11 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_11 38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_10 503s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_11 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_BOUNDARY_11 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_11 3s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_BOUNDARY_11 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_12 Content-Type =~ /boundary=\"--[a-z]+\d+[a-z]+"/ # no /i +describe SARE_BOUNDARY_12 Possible spam flag +score SARE_BOUNDARY_12 1.666 +#hist SARE_BOUNDARY_12 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_12 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_12 288s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_12 1s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_BOUNDARY_12 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_12 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_12 45s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_12 5s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_12 6s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_BOUNDARY_12 34s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_BOUNDARY_12 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_13 Content-Type =~ /boundary=\"Java\.[A-Z]{5}\.\d{10,30}"/ # no /i +score SARE_BOUNDARY_13 1.666 +describe SARE_BOUNDARY_13 Possible spam flag +#hist SARE_BOUNDARY_13 Loren Wilton, Feb 21 2005 +#counts SARE_BOUNDARY_13 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_13 614s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_BOUNDARY_13 61s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_13 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_13 133s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_13 20s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_13 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_13 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_BOUNDARY_D9 Content-Type =~ /boundary="\d{9}"/ +describe SARE_BOUNDARY_D9 Content type boundary used in spam or virus +score SARE_BOUNDARY_D9 1.111 +#stype SARE_BOUNDARY_D9 spamp +#hist SARE_BOUNDARY_D9 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D9 24s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_D9 80s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_BOUNDARY_D9 3s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_BOUNDARY_D9 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_D9 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_D9 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D9 4s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_D9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_BOUNDARY_D9 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header __SARE_BOUNDARY_D12 Content-Type =~ /boundary="\d{12,}"/ +meta SARE_BOUNDARY_D12 __SARE_BOUNDARY_D12 && !MIME_BOUND_DIGITS_15 +describe SARE_BOUNDARY_D12 Content type boundary used in spam or virus +score SARE_BOUNDARY_D12 2.222 +#stype SARE_BOUNDARY_D12 spamp +#hist SARE_BOUNDARY_D12 Created by Bob Menschel May 31 2004 +#V300 SARE_BOUNDARY_D12 Converted to meta to avoid double-scoring new SA 3.0 MIME_BOUND_DIGITS_15 rule +#counts SARE_BOUNDARY_D12 106s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_D12 412s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D12 572s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_BOUNDARY_D12 11s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_D12 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_D12 109s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_D12 858s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_BOUNDARY_D12 188s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_D12 238s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_BOUNDARY_D12 92s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_BOUNDARY_D12 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#alone SARE_BOUNDARY_D12 701s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 + +header SARE_BOUNDARY_QZSOFT content-type =~ /boundary="qzsoft_directmail_seperator"/ +describe SARE_BOUNDARY_QZSOFT Identifies spam from specific spamware +score SARE_BOUNDARY_QZSOFT 1.666 +#hist SARE_BOUNDARY_QZSOFT Loren Wilton, LW_DIRECTMAIL, Sep 5 2004 +#counts SARE_BOUNDARY_QZSOFT 63s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_QZSOFT 347s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_QZSOFT 114s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_BOUNDARY_QZSOFT 5s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_BOUNDARY_QZSOFT 38s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_BOUNDARY_QZSOFT 43s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_BOUNDARY_QZSOFT 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_QZSOFT 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_QZSOFT 28s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_BOUNDARY_QZSOFT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header __AOL_FROM From:addr =~ /\@(?:aol|cs)\.com$/i +header __SARE_FROM_GOODAOL From =~ /[a-z][a-z0-9]{2,15}\@(?:aol|cs).com/i +describe __SARE_FROM_GOODAOL Partial Rule: Marks Bad AOL Addresses +meta SARE_FROM_BADAOL __AOL_FROM && !__SARE_FROM_GOODAOL +describe SARE_FROM_BADAOL From an Invalid AOL Email Address +score SARE_FROM_BADAOL 1.666 +#hist SARE_FROM_BADAOL KAM.COMBO_BADAOL Originally submitted by from Kevin A. McGrail +#hist SARE_FROM_BADAOL Rule based on Kelson Vibber's MD code for bogus AOL Addresses +#hist SARE_FROM_BADAOL Check for bogus AOL addresses as described at +#hist SARE_FROM_BADAOL http://postmaster.aol.com/faq/mailerfaq.html#syntax +#hist SARE_FROM_BADAOL Rule for good addresses: all alphanumeric, starting with a letter, from 3 to 16 characters long. +#hist SARE_FROM_BADAOL Added cs.com to __SARE_FROM_GOODAOL, Bob Menschel 11/11/05, suggested by Gabriel Billington +#note SARE_FROM_BADAOL __AOL_FROM is SA Distrib rule +#counts SARE_FROM_BADAOL 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_BADAOL 359s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_FROM_BADAOL 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_BADAOL 51s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_BADAOL 17s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FROM_BADAOL 1s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#max SARE_FROM_BADAOL 10s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_BADAOL 4s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_FROM_BADAOL 11s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FROM_BADAOL 3s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#max SARE_FROM_BADAOL 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FROM_DRUGS From =~ /\b(?:cialis|levitra|phentermine|valium|viagra|vicodin|xanax)\b/i +describe SARE_FROM_DRUGS From a drug +score SARE_FROM_DRUGS 1.666 +#hist SARE_FROM_DRUGS Bob Menschel May 14 2005, from sample provided by Joanne Dow +#hist SARE_FROM_DRUGS Split SOMA to new SARE_FROM_DRUGS2 rule because of ham. +#counts SARE_FROM_DRUGS 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_DRUGS 753s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_FROM_DRUGS 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FROM_DRUGS 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_FROM_DRUGS 17s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_DRUGS 30s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FROM_DRUGS 5s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FROM_DRUGS 4s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FROM_DRUGS 72s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FROM_DRUGS 108s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_FROM_DRUGS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_FROM_HOODIA From =~ /"Hoodia/i +describe SARE_FROM_HOODIA From who do ya say? +score SARE_FROM_HOODIA 1.666 +#stype SARE_FRMO_HOODIA spamg +#hist SARE_FROM_HOODIA Loren Wilton, Sept 2005 +#counts SARE_FROM_HOODIA 59s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_FROM_HOODIA 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FROM_HOODIA 2s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_FROM_HOODIA 100s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FROM_HOODIA 444s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FROM_HOODIA 21s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FROM_HOODIA 18s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FROM_HOODIA 31s/0h of 56592 corpus (51660s/4932h MY) 09/22/05 + +header SARE_FROM_PAYPAL_INV From =~ /(?:admin|services|support|update|verification)\@paypal.com/i +describe SARE_FROM_PAYPAL_INV From invalid address at PayPal +score SARE_FROM_PAYPAL_INV 1.111 +#stype SARE_FROM_PAYPAL_INV spamp +#hist SARE_FROM_PAYPAL_INV Created by Bob Menschel Sep 24 2004 +#counts SARE_FROM_PAYPAL_INV 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_PAYPAL_INV 39s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_FROM_PAYPAL_INV 8s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FROM_PAYPAL_INV 10s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FROM_PAYPAL_INV 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_PAYPAL_INV 4s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FROM_PAYPAL_INV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_PAYPAL_INV 12s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_FROM_PAYPAL_INV 1s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_COMWALL From =~ /\@walla\.com/i +describe SARE_FREE_WEBM_COMWALL Maybe spammer with free email +score SARE_FREE_WEBM_COMWALL 1.666 +#hist SARE_FREE_WEBM_COMWALL Created by Bob Menschel Sep 26 2004 +#counts SARE_FREE_WEBM_COMWALL 47s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_COMWALL 851s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_COMWALL 13s/1h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_COMWALL 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_COMWALL 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_COMWALL 101s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_COMWALL 57s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_COMWALL 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_FREE_WEBM_COMWALL 36s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_COMWALL 6s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_COMWALL 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_FREE_WEBM_Dora From =~ /\bdoramail\.com/i +describe SARE_FREE_WEBM_Dora Sender used free email account - may be spammer +score SARE_FREE_WEBM_Dora 1.666 +#counts SARE_FREE_WEBM_Dora 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Dora 182s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Dora 36s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_Dora 8s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_Dora 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_Dora 16s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Dora 2s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Dora 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_Dora 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Dora 185s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_Dora 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_Dora 21s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_FROM_WEBM_ERESMAS From =~ /eresmas\.com/i +describe SARE_FROM_WEBM_ERESMAS Probable spammer +score SARE_FROM_WEBM_ERESMAS 1.666 +#hist SARE_FROM_WEBM_ERESMAS Bob Menschel May 14 2005 +#counts SARE_FROM_WEBM_ERESMAS 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_WEBM_ERESMAS 619s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_FROM_WEBM_ERESMAS 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FROM_WEBM_ERESMAS 13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_WEBM_ERESMAS 5s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FROM_WEBM_ERESMAS 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_FROM_WEBM_ERESMAS 10s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FROM_WEBM_ERESMAS 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FROM_WEBM_ERESMAS 26s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_WEBM_ERESMAS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_FREE_WEBM_Kero From =~ /\bKeromail\.com/i +describe SARE_FREE_WEBM_Kero Sender used free email account - may be spammer +score SARE_FREE_WEBM_Kero 0.950 +#counts SARE_FREE_WEBM_Kero 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Kero 46s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_FREE_WEBM_Kero 4s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_FREE_WEBM_Kero 4s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_Kero 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_Kero 9s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Kero 44s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Kero 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FREE_WEBM_Kero 12s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_Kero 23s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_Kero 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_Kero 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_FREE_WEBM_LATINML From =~ /\@latinmail\.com/i +describe SARE_FREE_WEBM_LATINML Maybe spammer with free email +score SARE_FREE_WEBM_LATINML 1.666 +#hist SARE_FREE_WEBM_LATINML Created by Bob Menschel Sep 28 2004 +#counts SARE_FREE_WEBM_LATINML 6s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_LATINML 296s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_FREE_WEBM_LATINML 1s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_LATINML 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_LATINML 27s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_LATINML 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_LATINML 6s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_LATINML 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_LATINML 19s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_LATINML 20s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_LATINML 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_LATINML 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_FREE_WEBM_OwnEm1 From =~ /\@(?:ownemail|akkadian|alarmists|armymail|arsed|astromail|barefooted|bellybuster|bemused|bigisbeautiful|bigisbetter|bigsecret|blag|blahdeblah|blowitup|boardmaster|bobbles|boster|brutes|buttonpushers|chalky|changeplace|charlies|chasing|cherrycola|chewies|chocolatejunkies|clubfever|codemaster|creaky|crumbly|currymonster|cutemail|darkcorner|darkplace|daydreamer|deepdesire|desilver|diddled|djsuperstars|doleoffice|dotters|downboy|ducktail|elitists|emergencymail)\.com/i +describe SARE_FREE_WEBM_OwnEm1 Sender used free email account - may be spammer +#describ SARE_FREE_WEBM_OwnEm1 These are all aliases of the OwnEmail.Com service, from which we get spam. +score SARE_FREE_WEBM_OwnEm1 1.666 +#note SARE_FREE_WEBM_OwnEm1 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match. +#counts SARE_FREE_WEBM_OwnEm1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_OwnEm1 159s/0h of 115937 corpus (94614s/21323h) 04/29/04 +#counts SARE_FREE_WEBM_OwnEm1 2s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_OwnEm1 1s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_OwnEm1 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_OwnEm1 7s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_OwnEm1 3s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_OwnEm1 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_OwnEm1 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_OwnEm1 3s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_OwnEm1 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_OwnEm1 35s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_FREE_WEBM_OwnEm2 From =~ /\@(?:fairyqueen|fantasyforce|fastbowler|firelord|fynns|gameaddict|gobby|hothatches|kickedout|kred|lemonmail|liquidlunch|lovesecrets|luckster|lucys|madder|makethebreak|manmachine|mippy|misssporty|mistersporty|mrlottery|mrsporty|nagging|naseem|nicked|ownplace|pammy|poppet|qualitymail|r-a-v-e|raddled|ribber|shearer|slouching|spoofer|stalkers|sthelens|stubby|sunstertacomail|taureans|tenderkiss|thearchway|thebrewer|thecutest|thelostworld|tiggy|tizzi|tosser|trilby)\.com/i +describe SARE_FREE_WEBM_OwnEm2 Sender used free email account - may be spammer +score SARE_FREE_WEBM_OwnEm2 1.666 +#note SARE_FREE_WEBM_OWNEm2 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match. +#counts SARE_FREE_WEBM_OwnEm2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_OwnEm2 153s/0h of 115937 corpus (94614s/21323h) 04/29/04 +#counts SARE_FREE_WEBM_OwnEm2 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_OwnEm2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_OwnEm2 8s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_OwnEm2 7s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_OwnEm2 18s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_OwnEm2 35s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FREE_WEBM_OwnEm2 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FREE_WEBM_OwnEm2 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_OwnEm2 8s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_OwnEm2 1s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_FREE_WEBM_OwnEm2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_FREE_WEBM_Uymail From =~ /\buymail\.com/i +describe SARE_FREE_WEBM_Uymail Sender used free email account - may be spammer +score SARE_FREE_WEBM_Uymail 1.228 +#counts SARE_FREE_WEBM_Uymail 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Uymail 103s/0h of 125163 corpus (104972s/20191h) 03/28/04 +#counts SARE_FREE_WEBM_Uymail 3s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_Uymail 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_Uymail 24s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Uymail 10s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Uymail 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_FREE_WEBM_Uymail 17s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_Uymail 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_Uymail 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_FREE_WEBM_Zwallet From =~ /\bzwallet\.com/i +describe SARE_FREE_WEBM_Zwallet Sender used free email account - may be spammer +score SARE_FREE_WEBM_Zwallet 1.666 +#counts SARE_FREE_WEBM_Zwallet 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Zwallet 241s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Zwallet 2s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_FREE_WEBM_Zwallet 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_Zwallet 19s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Zwallet 12s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Zwallet 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_Zwallet 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Zwallet 9s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_FREE_WEBM_Zwallet 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FREE_WEBM_Zwallet 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_1Z1Z MESSAGEID =~ /<1z.+\@1z/ +describe SARE_MSGID_1Z1Z Message-ID has ratware pattern (1zXXXX@1z) +score SARE_MSGID_1Z1Z 2.222 +#counts SARE_MSGID_1Z1Z 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_1Z1Z 978s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MSGID_1Z1Z 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_1Z1Z 94s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_1Z1Z 13s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_MSGID_1Z1Z 527s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_MSGID_1Z1Z 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_1Z1Z 20s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_MSGID_1Z1Z 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_MSGID_1Z1Z 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_GMAILSMTP Received =~ /HELO gmail-smtp-in/ +score SARE_HELO_GMAILSMTP 1.999 +#hist SARE_HELO_GMAILSMTP Fred Tarasevicius, March 2006 +#hist SARE_HELO_GMAILSMTP Apparently scheduled for SA distribution in 3.2 +#counts SARE_HELO_GMAILSMTP 0s/0h of 9374 corpus (7151s/2223h AxB) 03/01/06 +#counts SARE_HELO_GMAILSMTP 22s/0h of 13283 corpus (7411s/5872h CT) 05/10/06 +#counts SARE_HELO_GMAILSMTP 346s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HELO_GMAILSMTP 294s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HELO_GMAILSMTP 503s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#max SARE_HELO_GMAILSMTP 536s/0h of 107069 corpus (74706s/32363h ML) 05/10/06 +#counts SARE_HELO_GMAILSMTP 1s/0h of 22947 corpus (17234s/5713h MY) 05/10/06 +#counts SARE_HELO_GMAILSMTP 159s/0h of 103116 corpus (63731s/39385h DOC) 03/01/06 +#counts SARE_HELO_GMAILSMTP 119s/0h of 155369 corpus (81693s/73676h RM) 05/10/06 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +header SARE_RECV_IP_061052 Received =~ /\[61\.5[2-4]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061052 Spam passed through possible spammer relay +score SARE_RECV_IP_061052 1.666 +#stype SARE_RECV_IP_061052 spamp +#hist SARE_RECV_IP_061052 Created by Bob Menschel May 10 2004 +#counts SARE_RECV_IP_061052 206s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061052 410s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061052 47s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_061052 56s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_RECV_IP_061052 84s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_061052 147s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_061052 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061052 25s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_061052 37s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_061052 15s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_061052 15s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_RECV_IP_061172 Received =~ /\[61\.17[23]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061172 Spam passed through possible spammer relay +score SARE_RECV_IP_061172 1.666 +#stype SARE_RECV_IP_061172 spamp +#counts SARE_RECV_IP_061172 56s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061172 305s/0h of 119325 corpus (98981s/20344h) 03/22/04 +#counts SARE_RECV_IP_061172 9s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_061172 12s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_061172 45s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_061172 39s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_061172 58s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_061172 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061172 27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_061172 16s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_061172 32s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_061172 276s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_063111025 received =~ /\[63\.111\.25\.\d{1,3}\]/ +describe SARE_RECV_IP_063111025 Spam passed through possible spammer relay +score SARE_RECV_IP_063111025 1.666 +#stype SARE_RECV_IP_063111025 spamp +#hist SARE_RECV_IP_063111025 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L +#counts SARE_RECV_IP_063111025 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_RECV_IP_063111025 65s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_IP_063111025 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_063111025 98s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 +#counts SARE_RECV_IP_063111025 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_063111025 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_063111025 130s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_RECV_IP_066059094 Received =~ /\[66\.59\.94\.\d{1,3}\]/ +describe SARE_RECV_IP_066059094 Spam passed through possible spammer relay +score SARE_RECV_IP_066059094 2.333 +#hist SARE_RECV_IP_066059094 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_066059094 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_066059094 2505s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066059094 5s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_RECV_IP_066059094 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_066059094 287s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_066059094 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_RECV_IP_066059094 20s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 + +header SARE_RECV_IP_071004200 Received =~ /\[71\.4\.2\d\d\.\d{1,3}\]/ +describe SARE_RECV_IP_071004200 Spam passed through possible spammer relay +score SARE_RECV_IP_071004200 1.666 +#stype SARE_RECV_IP_071004200 spamp +#hist SARE_RECV_IP_071004200 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_071004200 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_071004200 51s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_RECV_IP_071004200 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_071004200 35s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_071004200 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_RECV_IP_071004200 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_RECV_IP_071004200 6s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_071004200 298s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_072034096 Received =~ /\[72\.34\.(?:9[6-9]|1(?:0\d|1[01]))\.\d{1,3}\]/ +describe SARE_RECV_IP_072034096 Spam passed through possible spammer relay +score SARE_RECV_IP_072034096 1.666 +#stype SARE_RECV_IP_072034096 spamp +#hist SARE_RECV_IP_072034096 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_072034096 Race Technologies +#counts SARE_RECV_IP_072034096 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_072034096 255s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_072034096 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_072034096 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_072034096 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_072034096 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_072034096 4s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_163125 Received =~ /\[163\.125\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_163125 Spam passed through possible spammer relay +score SARE_RECV_IP_163125 1.111 +#stype SARE_RECV_IP_163125 spamp +#hist SARE_RECV_IP_163125 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_163125 Success Marketing Associates, LLC +#counts SARE_RECV_IP_163125 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_163125 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_163125 94s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_163125 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_163125 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_204010039 Received =~ /\[204\.10\.39\.(?:3[2-9]|[45]\d|6[0-3])\]/ +describe SARE_RECV_IP_204010039 Spam passed through possible spammer relay +score SARE_RECV_IP_204010039 1.111 +#stype SARE_RECV_IP_204010039 spamp +#hist SARE_RECV_IP_204010039 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_204010039 Strategic Impact Concepts +#counts SARE_RECV_IP_204010039 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_204010039 34s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_204010039 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_204010039 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_RECV_IP_204010039 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 + +header SARE_RECV_IP_206081080 received =~ /\[206\.81\.(?:8\d|9[0-5])\.\d{1,3}\]/ +describe SARE_RECV_IP_206081080 Spam passed through possible spammer relay +score SARE_RECV_IP_206081080 1.666 +#stype SARE_RECV_IP_206081080 spamp +#hist SARE_RECV_IP_206081080 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L +#counts SARE_RECV_IP_206081080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_206081080 32s/0h of 283497 corpus (129933s/153564h RM) 03/08/05 +#counts SARE_RECV_IP_206081080 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_206081080 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_206081080 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_206081080 152s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_206081080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_206081080 12s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_206081080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_208053011 Received =~ /\[208\.53\.11\.\d{1,3}\]/ +describe SARE_RECV_IP_208053011 Spam passed through possible spammer relay +score SARE_RECV_IP_208053011 1.666 +#stype SARE_RECV_IP_208053011 spamp +#hist SARE_RECV_IP_208053011 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_208053011 Advanced Dedicated Database Servers LLC +#counts SARE_RECV_IP_208053011 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_208053011 5s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_RECV_IP_208053011 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_208053011 24s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_208053011 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_208053011 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_209190 Received =~ /\[209\.190\.(?:8|9|1[0-5])\.\d{1,3}\]/ +describe SARE_RECV_IP_209190 Spam passed through possible spammer relay +score SARE_RECV_IP_209190 2.222 +#stype SARE_RECV_IP_209190 spamp +#hist SARE_RECV_IP_209190 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_209190 S-INFOTECH, Inc. +#counts SARE_RECV_IP_209190 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_209190 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_209190 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_209190 306s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +header SARE_RECV_IP_218011 Received =~ /\[218\.1[12]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218011 Spam passed through Chinese CNCGROUP-HE system +score SARE_RECV_IP_218011 1.666 +#stype SARE_RECV_IP_218011 spamp +#counts SARE_RECV_IP_218011 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218011 149s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_RECV_IP_218011 17s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_218011 22s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218011 2s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_218011 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218011 13s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_218011 18s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_218011 3s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_218011 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_218011 6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_218062 Received =~ /\[218\.6[23]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218062 Passed through possible spammer relay or source +score SARE_RECV_IP_218062 1.111 +#stype SARE_RECV_IP_218062 spamp +#hist SARE_RECV_IP_218062 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_218062 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218062 55s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218062 21s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_218062 13s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_RECV_IP_218062 2s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_218062 29s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_218062 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218062 7s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_218062 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_218062 5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_218071 Received =~ /\[218\.71\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218071 Spam passed through possible spammer relay +score SARE_RECV_IP_218071 1.666 +#hist SARE_RECV_IP_218071 Created by Bob Menschel Apr 04 2004 +#counts SARE_RECV_IP_218071 257s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_RECV_IP_218071 14s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_218071 11s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_RECV_IP_218071 10s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_218071 11s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_218071 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218071 4s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_218071 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_218071 126s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_RECV_IP_218085 Received =~ /\[218\.8[56]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218085 Passed through possible spammer relay or source +score SARE_RECV_IP_218085 1.666 +#stype SARE_RECV_IP_218085 spamp +#hist SARE_RECV_IP_218085 Created by Bob Menschel Aug 23 2004 +#counts SARE_RECV_IP_218085 67s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218085 122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218085 7s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_218085 8s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_218085 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218085 8s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_218085 21s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_218085 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218085 17s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_218085 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_218085 20s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_218085 51s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_RECV_IP_219159 Received =~ /\[219\.159\.(?:6[4-9]|[7-9]\d|\d{3})\.\d{1,3}\]/ +describe SARE_RECV_IP_219159 Spam passed through possible spammer relay +score SARE_RECV_IP_219159 1.111 +#stype SARE_RECV_IP_219159 spamp +#hist SARE_RECV_IP_219159 Created by Bob Menschel Apr 28 2004 +#counts SARE_RECV_IP_219159 21s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_219159 52s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219159 13s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_219159 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_219159 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_219159 3s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_219159 4s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_219159 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_219159 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_219159 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_219159 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_219248 Received =~ /\[219\.248\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_219248 Passed through possible spammer relay or source +score SARE_RECV_IP_219248 1.666 +#hist SARE_RECV_IP_219248 Created by Bob Menschel Dec 09 2004 +#note SARE_RECV_IP_219248 Korea Network Information Center +#counts SARE_RECV_IP_219248 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_219248 325s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219248 26s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_219248 2s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_219248 19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_219248 4s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_219248 7s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_219248 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_219248 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_219248 11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_220168 Received =~ /\[220\.1(?:6[89]|70)\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_220168 Passed through possible spammer relay or source +score SARE_RECV_IP_220168 1.666 +#note SARE_RECV_IP_220168 ChinaNet, Hunan Province +#hist SARE_RECV_IP_220168 Created by Bob Menschel Nov 13 2004 +#counts SARE_RECV_IP_220168 39s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_220168 104s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_IP_220168 22s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_220168 6s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_220168 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_220168 21s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_220168 39s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_220168 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220168 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_220168 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_220168 111s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_220189 Received =~ /\[220\.189\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}\]/ +describe SARE_RECV_IP_220189 Passed through possible spammer relay or source +score SARE_RECV_IP_220189 0.844 +#hist SARE_RECV_IP_220189 Created by Bob Menschel May 1 2004 +#counts SARE_RECV_IP_220189 10s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_220189 28s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_IP_220189 3s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_220189 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_RECV_IP_220189 6s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_220189 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220189 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_220189 18s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_RECV_IP_221000 Received =~ /\[221\.[0-3]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_221000 Passed through possible spammer relay or source +score SARE_RECV_IP_221000 1.433 +#hist SARE_RECV_IP_221000 Created by Bob Menschel Jul 24 2004 +#counts SARE_RECV_IP_221000 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_221000 117s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_221000 54s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_221000 20s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_RECV_IP_221000 56s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_221000 68s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_221000 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_221000 10s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_221000 7s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_221000 24s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_222032 Received =~ /\[222\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222032 Spam passed through possible spammer relay +score SARE_RECV_IP_222032 2.222 +#stype SARE_RECV_IP_222032 spamp +#note SARE_RECV_IP_222032 China Railway Telecommunications Center , Beijing +#hist SARE_RECV_IP_222032 Created by Bob Menschel Feb 24 2005 +#counts SARE_RECV_IP_222032 730s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_222032 1699s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222032 133s/1h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_RECV_IP_222032 53s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_RECV_IP_222032 103s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222032 179s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_RECV_IP_222032 264s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_222032 70s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_222032 38s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_RECV_IP_222032 56s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_RECV_IP_222032 89s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +##################################################################################### +# SARE Reply-To Header Rules +######## ###################### ################################################## + +##################################################################################### +# SARE To/Cc Destination rules +######## ###################### ################################################## + +header __SARE_TOCC_MULT_BIGFT5 ToCc =~ /(?:\@bigfoot.com\b.*){5}/i +meta SARE_TOCC_MULT_BIGFT5 __SARE_TOCC_MULT_BIGFT5 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 || SARE_TOCC_MULT_BIGFT6 ) +describe SARE_TOCC_MULT_BIGFT5 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT5 1.666 +#hist SARE_TOCC_MULT_BIGFT5 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT5 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_MULT_BIGFT5 271s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_TOCC_MULT_BIGFT6 ToCc =~ /(?:\@bigfoot.com\b.*){6}/i +meta SARE_TOCC_MULT_BIGFT6 __SARE_TOCC_MULT_BIGFT6 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 ) +describe SARE_TOCC_MULT_BIGFT6 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT6 1.666 +#hist SARE_TOCC_MULT_BIGFT6 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT6 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_MULT_BIGFT6 396s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_TOCC_MULT_BIGFT7 ToCc =~ /(?:\@bigfoot.com\b.*){7}/i +meta SARE_TOCC_MULT_BIGFT7 __SARE_TOCC_MULT_BIGFT7 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 ) +describe SARE_TOCC_MULT_BIGFT7 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT7 1.122 +#hist SARE_TOCC_MULT_BIGFT7 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT7 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_MULT_BIGFT7 102s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT7 1s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT7 1s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT7 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 + +header __SARE_TOCC_MULT_BIGFT8 ToCc =~ /(?:\@bigfoot.com\b.*){8}/i +meta SARE_TOCC_MULT_BIGFT8 __SARE_TOCC_MULT_BIGFT8 && !( SARE_TOCC_MULT_BIGFT9 ) +describe SARE_TOCC_MULT_BIGFT8 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT8 1.172 +#stype SARE_TOCC_MULT_BIGFT8 fixed +#hist SARE_TOCC_MULT_BIGFT8 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT8 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_MULT_BIGFT8 111s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT8 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_TOCC_MULT_BIGFT9 ToCc =~ /(?:\@bigfoot.com\b.*){9}/i +describe SARE_TOCC_MULT_BIGFT9 Sent to multiple bigfoot addresses +score SARE_TOCC_MULT_BIGFT9 1.666 +#hist SARE_TOCC_MULT_BIGFT9 Created by Bob Menschel Apr 09 2004 +#counts SARE_TOCC_MULT_BIGFT9 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_MULT_BIGFT9 283s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_MULT_BIGFT9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE User-Agent rules +######## ###################### ################################################## + +header SARE_USERAG_2 User-Agent =~ /eGroups Message Poster/ +describe SARE_USERAG_2 Strange user-agent header implying spam +score SARE_USERAG_2 3.333 +#stype SARE_USERAG_2 spamgg +#counts SARE_USERAG_2 81s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_USERAG_2 12s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_USERAG_2 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_USERAG_2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_USERAG_2 5s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_USERAG_2 23s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_USERAG_2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_USERAG_2 73s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_USERAG_2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_USERAG_2 2s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_USERAG_3 User-Agent =~ /8.0 for Windows sub 6014/i +describe SARE_USERAG_3 Strange user-agent header implying spam +score SARE_USERAG_3 3.333 +#stype SARE_USERAG_3 spamgg +#hist SARE_USERAG_3 Created by Bob Menschel Apr 28 2004 +#counts SARE_USERAG_3 81s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_USERAG_3 6s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_USERAG_3 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_USERAG_3 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_USERAG_3 4s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_USERAG_3 50s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_USERAG_3 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_USERAG_3 9s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_USERAG_3 65s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_USERAG_3 1s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_USERAG_3 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_USERAG_BAT User-Agent =~ /^The Bat!/ +describe SARE_USERAG_BAT Spamware pretending to be 'The Bat!' +score SARE_USERAG_BAT 2.222 +#stype SARE_USERAG_BAT spamg +#hist SARE_USERAG_BAT Tim Jackson, May 12 2005 +#counts SARE_USERAG_BAT 160s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_USERAG_BAT 43s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_USERAG_BAT 15s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_USERAG_BAT 28s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_USERAG_BAT 47s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_USERAG_BAT 182s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_USERAG_BAT 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_USERAG_BAT 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_USERAG_BAT 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_USERAG_SPAM0 User-Agent =~ /(?:Foxmail|VXmailer|Mail Bomber|Rodriquezmail|LMAIL|MOMENTUM)/ +describe SARE_USERAG_SPAM0 Was sent by a SPAM User Agent +score SARE_USERAG_SPAM0 1.666 +#hist SARE_USERAG_SPAM0 SARE_TM2_RW_UA +#counts SARE_USERAG_SPAM0 359s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_USERAG_SPAM0 29s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_USERAG_SPAM0 17s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_USERAG_SPAM0 21s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_USERAG_SPAM0 82s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_USERAG_SPAM0 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_USERAG_SPAM0 29s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_USERAG_SPAM0 277s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_USERAG_SPAM0 2s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_USERAG_SPAM0 19s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_DYNAMAILER X-Mailer =~ /Dynamailer/ +describe SARE_XMAIL_DYNAMAILER Bulk email fingerprint (DynaMailer) found +score SARE_XMAIL_DYNAMAILER 1.111 +#stype SARE_XMAIL_DYNAMAILER spamp +#hist SARE_XMAIL_DYNAMAILER Suggested via SA Dev mailing list bug 4127, Feb 9 2005 +#counts SARE_XMAIL_DYNAMAILER 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_DYNAMAILER 14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_DYNAMAILER 1s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_XMAIL_DYNAMAILER 1s/0h of 682 corpus (290s/392h CRF) 02/16/05 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_DYNAMAILER 4s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_XMAIL_DYNAMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_XMAIL_FNORD X-Mailer =~ m'KYX CP/M FNORD 5602' +describe SARE_XMAIL_FNORD Recognized spam sign in xmail header +score SARE_XMAIL_FNORD 1.666 +#hist SARE_XMAIL_FNORD Loren Wilton, Jul 23 2005 +#counts SARE_XMAIL_FNORD 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_FNORD 527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_FNORD 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_XMAIL_FNORD 34s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_XMAIL_FNORD 27s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_XMAIL_FNORD 6s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_XMAIL_FNORD 1s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 + +header SARE_XMAIL_RANDMAILER X-Mailer =~ /^([a-z]{4,12} ){1,3}$/ +describe SARE_XMAIL_RANDMAILER only 1-3 lowercase words in X-mailer field +score SARE_XMAIL_RANDMAILER 2.222 +#hist SARE_XMAIL_RANDMAILER from Pierre Thomson +#counts SARE_XMAIL_RANDMAILER 21s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_RANDMAILER 413s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_RANDMAILER 3s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_XMAIL_RANDMAILER 1s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_XMAIL_RANDMAILER 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_XMAIL_RANDMAILER 15s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_XMAIL_RANDMAILER 13s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_XMAIL_RANDMAILER 103s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_XMAIL_RANDMAILER 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_RANDMAILER 17s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_XMAIL_RANDMAILER 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 + +header SARE_XMAIL_TTBOARD X-Mailer =~ /TTBOARD/i +describe SARE_XMAIL_TTBOARD X-Mailer used by spammer +score SARE_XMAIL_TTBOARD 1.666 +#stype SARE_XMAIL_TTBOARD spamp +#hist SARE_XMAIL_TTBOARD Created by Bob Menschel Jan 14 2005, based on info from Joel Rubin via Spam-L +#counts SARE_XMAIL_TTBOARD 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_TTBOARD 230s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_XMAIL_TTBOARD 2s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_XMAIL_TTBOARD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_TTBOARD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_TTBOARD 1s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_XMAIL_TTBOARD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_FAKEPGP X-PGP-Key =~ m'==' +describe SARE_HEAD_FAKEPGP email appears to have faked PGP identification +score SARE_HEAD_FAKEPGP 2.222 +#counts SARE_HEAD_FAKEPGP 5s/0h of 9958 corpus (5628s/4330h AxB) 05/11/06 +#counts SARE_HEAD_FAKEPGP 57s/0h of 13283 corpus (7411s/5872h CT) 05/10/06 +#counts SARE_HEAD_FAKEPGP 166s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_FAKEPGP 174s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_FAKEPGP 524s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#max SARE_HEAD_FAKEPGP 583s/0h of 107069 corpus (74706s/32363h ML) 05/10/06 +#counts SARE_HEAD_FAKEPGP 0s/0h of 22947 corpus (17234s/5713h MY) 05/10/06 +#counts SARE_HEAD_FAKEPGP 554s/0h of 156969 corpus (82885s/74084h RM) 05/09/06 + +header SARE_HEAD_LOC_INV1 Location =~ /^[a-z]+(?:\s[a-z]+)*$/ # no /i +describe SARE_HEAD_LOC_INV1 Improper location +score SARE_HEAD_LOC_INV1 1.666 +#hist SARE_HEAD_LOC_INV1 Loren Wilton, Feb 21 2005 +#counts SARE_HEAD_LOC_INV1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_LOC_INV1 130s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_LOC_INV1 2s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_LOC_INV1 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_LOC_INV1 127s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_LOC_INV1 110s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_LOC_INV1 570s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_LOC_INV1 24s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_LOC_INV1 14s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_LOC_INV1 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header __SARE_HEAD_MIME_PROD MIME-Version =~ /\(produced by [a-z]+ \d\.\d\)/ +header __SARE_HEAD_MIME_PROD2 Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/ +header __SARE_HEAD_MIME_PROD3 MIME-Version =~ /1.0 \(produced by [a-z]+ \d+\.\d+\)\s*$/ +meta SARE_HEAD_MIME_PROD __SARE_HEAD_MIME_PROD || __SARE_HEAD_MIME_PROD2 || __SARE_HEAD_MIME_PROD3 +describe SARE_HEAD_MIME_PROD Ratware MIME Version +score SARE_HEAD_MIME_PROD 2.666 +#hist SARE_HEAD_MIME_PROD Originally: SARE_TM2_RW_MV +#hist SARE_HEAD_MIME_PROD Feb 26 2005: Added patterns offered by Eric Fagan and Loren Wilton +#counts SARE_HEAD_MIME_PROD 124s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_MIME_PROD 862s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_MIME_PROD 44s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_MIME_PROD 9s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_MIME_PROD 460s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_MIME_PROD 44s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_MIME_PROD 1239s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_MIME_PROD 309s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_MIME_PROD 364s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HEAD_MIME_PROD 236s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_HEAD_MIME_PROD 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_HEAD_MSMPR_RNDSTR X-MSMail-Priority =~ /PRIORITY_STRING/i +describe SARE_HEAD_MSMPR_RNDSTR Spam passed through iswest.net relay +score SARE_HEAD_MSMPR_RNDSTR 1.666 +#stype SARE_HEAD_MSMPR_RNDSTR spamg +#counts SARE_HEAD_MSMPR_RNDSTR 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_MSMPR_RNDSTR 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_MSMPR_RNDSTR 5s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HEAD_MSMPR_RNDSTR 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05 +#counts SARE_HEAD_MSMPR_RNDSTR 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_HEAD_MSMPR_RNDSTR 14s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_MSMPR_RNDSTR 65s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header __SARE_HEAD_SUBJ_RAND Subject =~ /^(?:R[Ee]: )?(?:[a-z]{2,20}[\-\.\,]?\s?){1,8}/ # no /i! +meta SARE_HEAD_SUBJ_RAND (__SARE_HEAD_SUBJ_RAND && (SARE_XMAIL_SUSP2 || SARE_HEAD_XAUTH_WARN || X_AUTH_WARN_FAKED)) +describe SARE_HEAD_SUBJ_RAND Subject is possibly random words +score SARE_HEAD_SUBJ_RAND 1.033 +#hist SARE_HEAD_SUBJ_RAND LW_BOGUS_SUBJECT +#hist SARE_HEAD_SUBJ_RAND Added option for 3.0 rule X_AUTH_WARN_FAKED +#hist SARE_HEAD_SUBJ_RAND Returned from file 2 May 2006 +#note SARE_HEAD_SUBJ_RAND Stored in HEADER rule set rather than SUBJ rule set because of its meta dependencies. +#ham SARE_HEAD_SUBJ_RAND confirmed (1): Re: entropy depletion +#counts SARE_HEAD_SUBJ_RAND 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_SUBJ_RAND 343s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_SUBJ_RAND 82s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_SUBJ_RAND 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_SUBJ_RAND 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XMIMEO_MS X-MimeOLE =~ /Mircosoft MimeOLE/i +describe SARE_HEAD_XMIMEO_MS Ratware-misspelled header +score SARE_HEAD_XMIMEO_MS 1.666 +#stype SARE_HEAD_XMIMEO_MS spamg +#hist SARE_HEAD_XMIMEO_MS Idea from dfs@roaringpenguin.com, http://bugzilla.spamassassin.org/show_bug.cgi?id=3349 +#counts SARE_HEAD_XMIMEO_MS 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XMIMEO_MS 36s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_HEAD_XMIMEO_MS 1s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XMIMEO_MS 4s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_XMIMEO_MS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XORIP_IP X-Originating-IP =~ /IP/i +describe SARE_HEAD_XORIP_IP header points to probable spammer +score SARE_HEAD_XORIP_IP 3.333 +#stype SARE_HEAD_XORIP_IP spamg +#hist SARE_HEAD_XORIP_IP Returned from file 2 May 2006 +#counts SARE_HEAD_XORIP_IP 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XORIP_IP 4347s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XORIP_IP 26s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XORIP_IP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XORIP_IP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Rules which identify headers found in email bodies +######## ###################### ################################################## + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header __THEBAT_MUA X-Mailer =~ /The Bat!/ +header __SARE_HEAD_WEBMAIL Message-ID =~ /<.+\@(yahoo|hotmail|cfswebmail)\.com>$/i +header __SARE_HEAD_MAIL_BAT2 User-Agent =~ /^The Bat!/ +meta SARE_HEAD_BAT_WEB __SARE_HEAD_WEBMAIL && ( __THEBAT_MUA || __SARE_HEAD_MAIL_BAT2 ) +describe SARE_HEAD_BAT_WEB Webmail message ID, but The Bat! X-Mailer +score SARE_HEAD_BAT_WEB 3.333 +#stype SARE_HEAD_BAT_WEB spamg +#hist SARE_HEAD_BAT_WEB Tim Jackson, May 11 2005 +#counts SARE_HEAD_BAT_WEB 104s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_BAT_WEB 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_BAT_WEB 10s/0h of 55126 corpus (50787s/4339h AxB2) 05/14/06 +#counts SARE_HEAD_BAT_WEB 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_HEAD_BAT_WEB 79s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_HEAD_BAT_WEB 38s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_BAT_WEB 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_BAT_WEB 48s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 + +header __SARE_MULT_BMASTGR1 Received =~ /for bmastgr\@/ +header __SARE_MULT_BMASTGR2 ToCc =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR3 From =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR4 Envelope-to =~ /\bbmastgr\@/ +header __SARE_MULT_BMASTGR5 Subject =~ /\bbmastgr\b/ +meta SARE_MULT_BMASTGR ( __SARE_MULT_BMASTGR1 || __SARE_MULT_BMASTGR2 || __SARE_MULT_BMASTGR3 || __SARE_MULT_BMASTGR4 || __SARE_MULT_BMASTGR5 ) +describe SARE_MULT_BMASTGR Directed to/from invalid address +score SARE_MULT_BMASTGR 5.000 +#stype SARE_MULT_BMASTGR spamggg +#hist SARE_MULT_MBASTGR Missing meta dependencies fixed by Fred T, Oct 6 2005 +#counts SARE_MULT_BMASTGR 159s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MULT_BMASTGR 1336s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MULT_BMASTGR 2s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_MULT_BMASTGR 3s/0h of 155711 corpus (104163s/51548h DOC) 05/15/06 +#counts SARE_MULT_BMASTGR 3s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_MULT_BMASTGR 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_MULT_BMASTGR 12s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 +#counts SARE_MULT_BMASTGR 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MULT_BMASTGR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 + +header SARE_MULT_FROM ALL =~ /\nFrom:.{10,150}\nFrom:.{10,150}\nFrom:/s +score SARE_MULT_FROM 0.777 +describe SARE_MULT_FROM Many from lines +#hist SARE_MULT_FROM Loren Wilton, June 2005 +#counts SARE_MULT_FROM 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MULT_FROM 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_MULT_FROM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_MULT_FROM 6s/0h of 42264 corpus (34146s/8118h FVGT) 05/15/06 +#counts SARE_MULT_FROM 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_MULT_FROM 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +# EOF + diff --git a/common/sare/70_sare_header1.cf b/common/sare/70_sare_header1.cf new file mode 100644 index 0000000..d8d7c0b --- /dev/null +++ b/common/sare/70_sare_header1.cf @@ -0,0 +1,2046 @@ +# SARE Header Abuse Ruleset for SpamAssassin -- file 1 +# Version: 01.03.21 +# Created: 2004-04-25 +# Modified: 2006-05-21 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.20 May 20 2005 +#@@# Minor score updates based on additional mass-check +#@@# Modified "rule has been moved" meta flags +#@@# Archived from file 1 SARE_FROM_SPAM_DOMN0 +#@@# Archived from file 1 SARE_HEAD_HDR_ALTREC +#@@# Archived from file 1 SARE_HEAD_HDR_XBBOUNC +#@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL2 +#@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL4 +#@@# Archived from file 1 SARE_HEAD_HDR_XMEBDOM +#@@# Archived from file 1 SARE_HEAD_HDR_XWTID +#@@# Archived from file 1 SARE_HEAD_HDR_XWTVERS +#@@# Archived from file 1 SARE_HEAD_ORIG_RECIP +#@@# Archived from file 1 SARE_RECV_IP_195229 +#@@# Moved file 0 to file 1 SARE_FREE_WEBM_EsTerra +#@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A +#@@# Moved file 0 to file 1 SARE_HEAD_DATE46 +#@@# Moved file 0 to file 1 SARE_HEAD_HDR_XEMAIL +#@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID +#@@# Moved file 0 to file 1 SARE_RECV_IP_063106130 +#@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD +#@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR +#@@# Moved file 1 to file 0 SARE_RECV_IP_209190 +#@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI +#@@# Moved file 1 to file 2 SARE_RECV_IP_062023 +#@@# Moved file 1 to file 2 SARE_RECV_IP_065205157 +#@@# Moved file 1 to file 2 SARE_RECV_IP_066248154 +#@@# Moved file 1 to file 2 SARE_RECV_IP_206248152 +#@@# Moved file 1 to file 2 SARE_RECV_RND_DATE +#@@# Moved file 1 to file 2 SARE_XMAIL_GDI +#@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L +#@@# Moved file 1 to file 3 SARE_HEAD_XWORD +#@@# Moved file 1 to file 3 SARE_RECV_IP_063106130 +#@@# Moved file 1 to file 3 SARE_RECV_IP_064034 +#@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL +#@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL +#@@# Moved from file 1 to 3 SARE_FROM_DVDCOPY +#@@# Moved from file 1 to 3 SARE_RECV_FREESERVE +#@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID +#@@# Returned file 1 to file 0 SARE_RECV_IP_163125 +#@@# Returned file 2 to file 1 SARE_RECV_IP_142046 +#@@# 01.03.21 May 21 2005 +#@@# Minor repairs to "downgraded rule" metas. + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ + +######## ###################### ################################################## +# Meta rules used to prevent --lint errors after moving/changing rules +######## ###################### ################################################## + +meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM +meta SARE_FREE_WEBM_CZSEZNA __SARE_HEAD_FALSE +meta SARE_FROM_MULTI_DASH __SARE_HEAD_FALSE +meta SARE_HEAD_DATE18 __SARE_HEAD_FALSE +meta SARE_MSGID_LONG40 __SARE_HEAD_FALSE +meta SARE_MSGID_LONG55 __SARE_HEAD_FALSE +meta SARE_MULT_VIA_FWCATS __SARE_HEAD_FALSE +meta SARE_RECV_IP_064080 __SARE_HEAD_FALSE +meta SARE_RECV_ISWEST __SARE_HEAD_FALSE +meta SARE_FROM_AMERICA __SARE_HEAD_FALSE +meta SARE_MSGID_06D6 __SARE_HEAD_FALSE +meta SARE_RECV_IP_212164 __SARE_HEAD_FALSE +meta SARE_BOUNDARY_MULTB __SARE_HEAD_FALSE +meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE +meta SARE_FROM_PRINTER __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE +meta SARE_HELO_SERVER __SARE_HEAD_FALSE +meta SARE_MSGID_LONG35 __SARE_HEAD_FALSE +meta SARE_MSGID_LONG65 __SARE_HEAD_FALSE +meta SARE_MSGID_LONG75 __SARE_HEAD_FALSE +meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE +meta SARE_RECV_SUSP_3 __SARE_HEAD_FALSE +meta SARE_XMAIL_XMAIL __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XEMGBMS __SARE_HEAD_FALSE +meta SARE_HEAD_XCANIT1 __SARE_HEAD_FALSE +meta SARE_HEAD_XCANIT2 __SARE_HEAD_FALSE +meta SARE_MSGID_SPAM_DOMN0 __SARE_HEAD_FALSE +meta SARE_MSGID_SUSP2 __SARE_HEAD_FALSE +meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE +meta SARE_RECV_IP_211049 __SARE_HEAD_FALSE +meta SARE_RECV_RND_NUMBER __SARE_HEAD_FALSE +meta SARE_FROM_NONAME __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE +meta SARE_HEAD_XCOM_RFCMIN __SARE_HEAD_FALSE +meta SARE_RECV_IP_080178 __SARE_HEAD_FALSE +meta SARE_XMAIL_SUSP3 __SARE_HEAD_FALSE +meta SARE_MSGID_DBL_AT __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_USACOPS __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_ALTREC __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XLEGAL2 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XMEBDOM __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE +meta SARE_HEAD_ORIG_RECIP __SARE_HEAD_FALSE +meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE +meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE +meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE +meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE +meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE +meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XLISTAD __SARE_HEAD_FALSE +meta SARE_HEAD_MSMPR_RNDSTR __SARE_HEAD_FALSE +meta SARE_RECV_IP_209190 __SARE_HEAD_FALSE +meta SARE_HEAD_DATE_RNDDATE __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_MSGTYPE __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_X400RCV __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XCNDINF __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE +meta SARE_HEAD_HDR_XSAFMMI __SARE_HEAD_FALSE +meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE +meta SARE_RECV_IP_065205157 __SARE_HEAD_FALSE +meta SARE_RECV_IP_066248154 __SARE_HEAD_FALSE +meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE +meta SARE_RECV_RND_DATE __SARE_HEAD_FALSE +meta SARE_XMAIL_GDI __SARE_HEAD_FALSE +meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE +meta SARE_HEAD_XWORD __SARE_HEAD_FALSE +meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE +meta SARE_RECV_IP_064034 __SARE_HEAD_FALSE +meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE +meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE +meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE +meta SARE_RECV_FREESERVE __SARE_HEAD_FALSE + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_APPROV exists:Approved +describe SARE_HEAD_HDR_APPROV Message headers used which identify spam +score SARE_HEAD_HDR_APPROV 0.166 +#hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed +#counts SARE_HEAD_HDR_APPROV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_APPROV 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_APPROV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_APPROV 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients +describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam +score SARE_HEAD_HDR_DISCREC 0.772 +#ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov +#counts SARE_HEAD_HDR_DISCREC 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_DISCREC 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_DISCREC 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_DISCREC 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_DISCREC 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HEAD_HDR_XEMAIL exists:X-EMail +describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam +score SARE_HEAD_HDR_XEMAIL 1.666 +#ham SARE_HEAD_HDR_XEMAIL confirmed (several, one source) +#counts SARE_HEAD_HDR_XEMAIL 221s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XEMAIL 78s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XEMAIL 458s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XEMAIL 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 + +header SARE_HEAD_HDR_XENC exists:X-ENC +describe SARE_HEAD_HDR_XENC Message headers used which identify spam +score SARE_HEAD_HDR_XENC 0.872 +#stype SARE_HEAD_HDR_XENC spamp +#hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004 +#counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XENC 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 +#counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XENC 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __HAS_RCVD exists:Received +header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key +meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD +header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key +describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers +score SARE_HEAD_HDR_XIDKEY 1.666 +#ham SARE_HEAD_HDR_XIDKEY verified (4) +#hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004 +#counts SARE_HEAD_HDR_XIDKEY 30s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XIDKEY 232s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_HDR_XIDKEY 104s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_HEAD_HDR_XIDKEY 367s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XIDKEY 859s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header __SARE_HEAD_HDR_XLEGAL exists:X-Legal +header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i +header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i +header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i +meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC +describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam +score SARE_HEAD_HDR_XLEGAL1 1.666 +#stype SARE_HEAD_HDR_XLEGAL1 spamgg +#hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC +describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam +score SARE_HEAD_HDR_XLEGAL3 1.666 +#stype SARE_HEAD_HDR_XLEGAL3 spamgg +#hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005 +#counts SARE_HEAD_HDR_XLEGAL3 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_HEAD_HDR_XMAILID exists:X-Mailid +describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam +score SARE_HEAD_HDR_XMAILID 1.666 +#ham SARE_HEAD_HDR_XMAILID confirmed +#counts SARE_HEAD_HDR_XMAILID 248s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_HEAD_HDR_XMAILID 4s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMAILID 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMAILID 5s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server +describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam +score SARE_HEAD_HDR_XMLRSRV 0.555 +#ham SARE_HEAD_HDR_XMLRSRV verified (1) +#counts SARE_HEAD_HDR_XMLRSRV 2s/5h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLRSRV 84s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRESPID exists:X-Response-ID +describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam +score SARE_HEAD_HDR_XRESPID 0.528 +#ham SARE_HEAD_HDR_XRESPID confirmed (1) +#counts SARE_HEAD_HDR_XRESPID 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XRESPID 18s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRESPID 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA +describe SARE_HEAD_HDR_XSIDPRA fingerprint +score SARE_HEAD_HDR_XSIDPRA 0.616 +#ham SARE_HEAD_HDR_XSIDPRA confirmed +#hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005 +#counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSIDPRA 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XSIDPRA 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result +describe SARE_HEAD_HDR_XSIDRES fingerprint +score SARE_HEAD_HDR_XSIDRES 0.616 +#ham SARE_HEAD_HDR_XSIDRES confirmed +#hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005 +#counts SARE_HEAD_HDR_XSIDRES 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XSIDRES 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_HDR_XSIDRES 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_HDR_XSIDRES 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/ +describe SARE_BOUNDARY_05 Content type boundary used in spam +score SARE_BOUNDARY_05 1.666 +#stype SARE_BOUNDARY_05 vbggg +#hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005 +#counts SARE_BOUNDARY_05 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 +#counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_05 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_BOUNDARY_05 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i +describe SARE_BOUNDARY_06 Content type boundary used in spam +score SARE_BOUNDARY_06 1.666 +#stype SARE_BOUNDARY_06 vbggg +#hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004 +#hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005 +#counts SARE_BOUNDARY_06 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s +describe SARE_BOUNDARY_08 Improbable MIME boundary format +score SARE_BOUNDARY_08 1.666 +#hist SARE_BOUNDARY_08 LW_BOUNDARY1 +#ham SARE_BOUNDARY_08 ServiceMagic , 2001 +#ham SARE_BOUNDARY_08 verizon wireless picture phone transmission +#counts SARE_BOUNDARY_08 613s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_08 38s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_08 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_08 826s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_BOUNDARY_08 243s/2h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/ +describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus +score SARE_BOUNDARY_D10 0.444 +#ham SARE_BOUNDARY_D10 verified (1) +#hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_BOUNDARY_D10 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D10 5s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/ +describe SARE_BOUNDARY_LC Content type boundary used in spam +score SARE_BOUNDARY_LC 1.666 +#ham SARE_BOUNDARY_LC questionable newsletters +#hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004 +#ham SARE_BOUNDARY_LC "ffff": Game Rival , ThePerfectGreeting +#counts SARE_BOUNDARY_LC 0s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_LC 44s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_LC 0s/1h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_BOUNDARY_LC 15s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/ +describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses +score SARE_BOUNDARY_NP2 4.000 +#stype SARE_BOUNDARY_NP2 vbg +#hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004 +#hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004 +#counts SARE_BOUNDARY_NP2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 +#counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/ +describe SARE_FROM_AST Invalid character in email address +score SARE_FROM_AST 0.666 +#hist SARE_FROM_AST Originally submitted by Fred Tarasevicius +#hist SARE_FROM_AST Returned from file 2 to file 1 Oct 2005 +#counts SARE_FROM_AST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i +describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address +score SARE_FROM_CAPS_MSN 0.828 +#ham SARE_FRMO_CAPS_MSN verified (3) +#hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004 +#counts SARE_FROM_CAPS_MSN 18s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_FROM_CAPS_MSN 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_CAPS_MSN 28s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FROM_CAPS_MSN 61s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_FROM_CAPS_MSN 28s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i +describe SARE_FROM_DRUGS2 From a drug +score SARE_FROM_DRUGS2 0.644 +#ham SARE_FROM_DRUGS2 verified (3) +#hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma +#counts SARE_FROM_DRUGS2 1s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_DRUGS2 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#max SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_FROM_DRUGS2 20s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_FROM_DRUGS2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0 +header __SARE_FROM_NONAME From =~ /"" ?/ +describe SARE_MSGID_QMAIL1 Contains spoofing message id +score SARE_MSGID_QMAIL1 0.056 +#ham SARE_MSGID_QMAIL1 confirmed +#hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004 +#counts SARE_MSGID_QMAIL1 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04 +#counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_QMAIL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i! +describe SARE_MSGID_RATWARE2 Message-Id is +score SARE_MSGID_RATWARE2 0.639 +#hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800 +#matches SARE_MSGID_RATWARE2 numbers.numbers@letters +#counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04 +#counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/ +describe SARE_MSGID_SHORT Message ID is too short to be valid. +score SARE_MSGID_SHORT 0.856 +#hist SARE_MSGID_SHORT RM_hm_ShortMsgid6 +#counts SARE_MSGID_SHORT 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MSGID_SHORT 16s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SHORT 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_SHORT 18s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_MSGID_SHORT 28s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/ +score SARE_HELO_EQ_DSL_3 1.022 +#ham SARE_HELO_EQ_DSL_3 confirmed (several) +#hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_DSL_3 232s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_DSL_3 51s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_DSL_3 23s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_HELO_EQ_DSL_3 22s/2h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_EQ_DSL_3 84s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HELO_EQ_DSL_3 117s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i +score SARE_HELO_EQ_PPPOE 0.555 +#stype SARE_HELO_EQ_PPPOE spamp +#hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_PPPOE 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i +describe SARE_HELO_YAHOO Received header has spamsign +score SARE_HELO_YAHOO 0.828 +#ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552) +#hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004 +#counts SARE_HELO_YAHOO 41s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HELO_YAHOO 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/ +describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header +score SARE_HEAD_8BIT_RECV 1.666 +#ham SARE_HEAD_8BIT_RECV verified (1) +#hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243 +#counts SARE_HEAD_8BIT_RECV 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_RECV 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_HEAD_8BIT_RECV 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_HEAD_8BIT_RECV 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_8BIT_RECV 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_FEP5 Received =~ /by fep5\./i +describe SARE_RECV_FEP5 Message contains known spam format +score SARE_RECV_FEP5 1.666 +#ham SARE_RECV_FEP5 verified (1) +#counts SARE_RECV_FEP5 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_RECV_FEP5 27s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_FEP5 208s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_FEP5 72s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/ +describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer +score SARE_RECV_MDNETCOMBR 0.756 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i +describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source +score SARE_RECV_PATMEDIA 0.964 +#stype SARE_RECV_PATMEDIA spamp +#hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004 +#counts SARE_RECV_PATMEDIA 10s/19h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_PATMEDIA 15s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_PATMEDIA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_PATMEDIA 93s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_PATMEDIA 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i +header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i +header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i +meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 +meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1 +describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header +describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header +describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header +score SARE_RECV_PORTHELO_1 1.666 +#note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically. +#note SARE_RECV_PORTHELO_1 We score them based on their "safety". +#hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005 +#counts SARE_RECV_PORTHELO_1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_PORTHELO_1 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_PORTHELO_1 116s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_PORTHELO_1 0s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#max SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05 +#counts SARE_RECV_PORTHELO_1 230s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +score SARE_RECV_PORTHELO_2 2.000 +#counts SARE_RECV_PORTHELO_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +score SARE_RECV_PORTHELO_3 2.222 +#counts SARE_RECV_PORTHELO_3 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_PORTHELO_3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i +describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain +score SARE_RECV_SKANOVA 0.660 +#ham SARE_RECV_SKANOVA verified (several) +#hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004 +#counts SARE_RECV_SKANOVA 37s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SKANOVA 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_SKANOVA 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_SKANOVA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_SKANOVA 43s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SKANOVA 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/ +describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN02 1.666 +#ham SARE_RECV_SPAM_DOMN02 Confirmed (5) +#counts SARE_RECV_SPAM_DOMN02 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_SPAM_DOMN02 168s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_SPAM_DOMN02 17s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN02 60s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_SPAM_DOMN02 631s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN02 194s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/ +describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN04 0.772 +#ham SARE_RECV_SPAM_DOMN04 verified (3) +#counts SARE_RECV_SPAM_DOMN04 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN04 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#counts SARE_RECV_SPAM_DOMN04 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN04 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i +describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source +score SARE_RECV_SPAM_DOMN06 0.678 +#ham SARE_RECV_SPAM_DOMN06 verified (1) +#hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004 +#counts SARE_RECV_SPAM_DOMN06 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN06 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN06 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN06 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN06 27s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN06 15s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/ +describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN0a 0.917 +#ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE +#hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005 +#counts SARE_RECV_SPAM_DOMN0a 28s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_SPAM_DOMN0a 19s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN0a 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_SPAM_DOMN0a 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_SPAM_DOMN0a 8s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN0a 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/ +describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN0b 1.666 +#ham SARE_RECV_SPAM_DOMN0b confirmed (many) +#counts SARE_RECV_SPAM_DOMN0b 1272s/39h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN0b 809s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_SPAM_DOMN0b 25s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPAM_DOMN0b 43s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_SPAM_DOMN0b 600s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN0b 399s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/ +describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain +score SARE_RECV_SPEEDY_AR 0.808 +#ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" , Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89]) +#counts SARE_RECV_SPEEDY_AR 60s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPEEDY_AR 10s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_SPEEDY_AR 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_SPEEDY_AR 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPEEDY_AR 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_SPEEDY_AR 51s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i +describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source +score SARE_RECV_UK2NET2 0.917 +#hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004 +#counts SARE_RECV_UK2NET2 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_RECV_UK2NET2 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_UK2NET2 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_UK2NET2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_UK2NET2 7s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/ +describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer +score SARE_RECV_VIRTUACOMBR 1.193 +#ham SARE_RECV_VIRTUACOMBR confirmed (4) +#hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr +#counts SARE_RECV_VIRTUACOMBR 32s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_VIRTUACOMBR 36s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_VIRTUACOMBR 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_VIRTUACOMBR 25s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_VIRTUACOMBR 193s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_VIRTUACOMBR 63s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +#eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/ +header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/ +header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/ +meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6 +describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer +score SARE_RECV_BEZEQINT_B 0.763 +#ham SARE_RECV_BEZEQINT_B verified (4) +#hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT +#counts SARE_RECV_BEZEQINT_B 23s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_BEZEQINT_B 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_BEZEQINT_B 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_BEZEQINT_B 38s/2h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_BEZEQINT_B 20s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i +describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address +score SARE_RECV_IP_FROMIP1 1.666 +#hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED +#ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank +#counts SARE_RECV_IP_FROMIP1 598s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_FROMIP1 186s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_FROMIP1 18s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_FROMIP1 81s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_FROMIP1 173s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_FROMIP1 730s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i +describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address +score SARE_RECV_IP_FROMIP3 0.711 +#match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500 +#ham SARE_RECV_IP_FROMIP3 Messages from a cell phone +#hist SARE_RECV_IP_FROMIP3 From Fred , Fri, 2 Apr 2004, RE_hrip_IPfromIPc +#counts SARE_RECV_IP_FROMIP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_FROMIP3 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_FROMIP3 1s/4h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_FROMIP3 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_FROMIP3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_FROMIP3 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061050 Spam passed through possible spammer relay +score SARE_RECV_IP_061050 1.544 +#ham SARE_RECV_IP_061050 confirmed (2) +#counts SARE_RECV_IP_061050 66s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061050 62s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_061050 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061050 7s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_061050 23s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_061050 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061072 Passed through possible spammer relay or source +score SARE_RECV_IP_061072 1.592 +#note SARE_RECV_IP_061072 Korea Telecom +#hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004 +#ham SARE_RECV_IP_061072 verified (1) +#counts SARE_RECV_IP_061072 42s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061072 61s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_061072 11s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_061072 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_061072 177s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_061072 33s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061187 Passed through possible spammer relay or source +score SARE_RECV_IP_061187 0.694 +#hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_061187 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_RECV_IP_061187 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 +#counts SARE_RECV_IP_061187 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061187 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_061187 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_061187 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061190 Spam passed through possible spammer relay +score SARE_RECV_IP_061190 1.111 +#stype SARE_RECV_IP_061190 spamp +#hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004 +#counts SARE_RECV_IP_061190 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061190 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_061190 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_061190 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_061190 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_061190 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_061228 Spam passed through possible spammer relay +score SARE_RECV_IP_061228 0.895 +#ham SARE_RECV_IP_061228 verified (1) +#counts SARE_RECV_IP_061228 229s/8h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_061228 140s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_061228 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_061228 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_061228 85s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_061228 80s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066017 Passed through possible spammer relay or source +score SARE_RECV_IP_066017 0.637 +#ham SARE_RECV_IP_066017 confirmed (8) +#note SARE_RECV_IP_066017 Yipes Communications Inc +#hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004 +#counts SARE_RECV_IP_066017 16s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066017 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_066017 61s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_066017 52s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay +score SARE_RECV_IP_066165224 1.278 +#ham SARE_RECV_IP_066165224 confirmed: 3 +#hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_066165224 Cyber World Internet Services +#counts SARE_RECV_IP_066165224 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_066165224 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066165224 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_066165224 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/ +describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay +score SARE_RECV_IP_069050210 0.700 +#ham SARE_RECV_IP_069050210 confirmed (2) +#hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005 +#counts SARE_RECV_IP_069050210 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_069050210 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_069050210 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#max SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_RECV_IP_069050210 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/ +describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay +score SARE_RECV_IP_069060096 1.666 +#ham SARE_RECV_IP_069060096 verified (1) +#hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_069060096 112s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_069060096 11s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_RECV_IP_069060096 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_069060096 409s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_069060096 166s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#counts SARE_RECV_IP_069060096 368s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/ +describe SARE_RECV_IP_082080 Spam passed through possible spammer relay +score SARE_RECV_IP_082080 1.111 +#stype SARE_RECV_IP_082080 spamp +#counts SARE_RECV_IP_082080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_082080 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_082080 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/ +describe SARE_RECV_IP_082102 Spam passed through possible spammer relay +score SARE_RECV_IP_082102 0.555 +#stype SARE_RECV_IP_082102 spamp +#hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004 +#counts SARE_RECV_IP_082102 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_082102 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_082102 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_082102 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_082102 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_082154 Passed through possible spammer relay or source +score SARE_RECV_IP_082154 1.666 +#ham SARE_RECV_IP_082154 confirmed (1) +#hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004 +#counts SARE_RECV_IP_082154 256s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_082154 62s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_082154 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_082154 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_082154 231s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_082154 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_083028 Passed through possible spammer relay or source +score SARE_RECV_IP_083028 1.666 +#ham SARE_RECV_IP_083028 verified (1) +#hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004 +#note SARE_RECV_IP_083028 Large block of IP addresses in Poland +#counts SARE_RECV_IP_083028 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_083028 157s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_083028 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_RECV_IP_083028 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_083028 42s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_083028 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_140117 Passed through possible spammer relay or source +score SARE_RECV_IP_140117 0.690 +#ham SARE_RECV_IP_140117 confirmed (1) +#hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004 +#note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan +#counts SARE_RECV_IP_140117 26s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_140117 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_140117 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#counts SARE_RECV_IP_140117 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_140117 22s/4h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_140117 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/ +describe SARE_RECV_IP_142046 Passed through possible spammer relay or source +score SARE_RECV_IP_142046 0.555 +#stype SARE_RECV_IP_142046 spamp +#hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info +#counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_142046 5s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 +#counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/ +describe SARE_RECV_IP_192116 Passed through possible spammer relay or source +score SARE_RECV_IP_192116 0.861 +#note SARE_RECV_IP_192116 GILAT-SATCOM +#hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004 +#counts SARE_RECV_IP_192116 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_RECV_IP_192116 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_200150 Spam passed through possible spammer relay +score SARE_RECV_IP_200150 0.612 +#ham SARE_RECV_IP_200150 confirmed (2) +#hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004 +#counts SARE_RECV_IP_200150 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_200150 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_200150 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#counts SARE_RECV_IP_200150 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_200150 14s/5h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_200150 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay +score SARE_RECV_IP_203210128 0.959 +#ham SARE_RECV_IP_203210128 verified (3) +#hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT) +#counts SARE_RECV_IP_203210128 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_203210128 43s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_203210128 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_203210128 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_203210128 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_203210128 116s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/ +describe SARE_RECV_IP_203177 Passed through possible spammer relay or source +score SARE_RECV_IP_203177 0.772 +#hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004 +#ham SARE_RECV_IP_203177 verified (1) +#counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_203177 23s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_203177 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_203177 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_203177 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_206131 Spam passed through possible spammer relay +score SARE_RECV_IP_206131 1.666 +#ham SARE_RECV_IP_206131 confirmed (1) +#hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info +#note SARE_RECV_IP_206131 Minerva Network Systems, Inc. +#counts SARE_RECV_IP_206131 54s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_206131 692s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_206131 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_206131 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_206131 1699s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_206131 31s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_209051 Spam passed through possible spammer relay +score SARE_RECV_IP_209051 1.111 +#stype SARE_RECV_IP_209051 spamp +#hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005 +#note SARE_RECV_IP_209051 S-INFOTECH, Inc. +#counts SARE_RECV_IP_209051 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_209051 22s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_209051 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#counts SARE_RECV_IP_209051 1s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 + +header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/ +describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay +score SARE_RECV_IP_216118120 2.222 +#hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_216118120 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_216118120 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_211216 Passed through possible spammer relay or source +score SARE_RECV_IP_211216 0.978 +#stype SARE_RECV_IP_211216 max:1.000 +#ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator +#hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004 +#note SARE_RECV_IP_211216 Korea Telecom +#note SARE_RECV_IP_211216 Score kept low to avoid FPs for naver.com +#counts SARE_RECV_IP_211216 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_211216 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_211216 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_211216 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_211216 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_211216 14s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/ +describe SARE_RECV_IP_212068 Spam passed through possible spammer relay +score SARE_RECV_IP_212068 1.111 +#stype SARE_RECV_IP_212068 spamp +#hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004 +#counts SARE_RECV_IP_212068 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_212068 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_212068 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_212068 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_212068 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_216022 Spam passed through possible spammer relay +score SARE_RECV_IP_216022 1.666 +#hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005 +#counts SARE_RECV_IP_216022 270s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_216022 196s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_216022 554s/6h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_216022 212s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#counts SARE_RECV_IP_216022 307s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 + +header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218070 Spam passed through possible spammer relay +score SARE_RECV_IP_218070 1.111 +#stype SARE_RECV_IP_218070 spamp +#counts SARE_RECV_IP_218070 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04 +#counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_218070 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_218070 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218070 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218072 Spam passed through possible spammer relay +score SARE_RECV_IP_218072 0.813 +#hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004 +#counts SARE_RECV_IP_218072 87s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_218072 13s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_218072 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_218072 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218072 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_218072 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218078 Passed through possible spammer relay or source +score SARE_RECV_IP_218078 1.666 +#hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004 +#ham SARE_RECV_IP_218078 confirmed (1) +#note SARE_RECV_IP_218078 ChinaNet, Shanghai Province +#counts SARE_RECV_IP_218078 34s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_RECV_IP_218078 51s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_218078 136s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_218078 53s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218078 67s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_218078 58s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218088 Passed through possible spammer relay or source +score SARE_RECV_IP_218088 1.100 +#ham SARE_RECV_IP_218088 confirmed: 1 +#note SARE_RECV_IP_218088 CHINANET sichuan province network +#hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004 +#counts SARE_RECV_IP_218088 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_RECV_IP_218088 15s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_218088 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_218088 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_218088 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_218088 25s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_218216 Passed through possible spammer relay or source +score SARE_RECV_IP_218216 0.629 +#ham SARE_RECV_IP_218216 confirmed (2) +#hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004 +#counts SARE_RECV_IP_218216 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_218216 31s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_218216 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_218216 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_218216 121s/22h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_218216 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_219128 Passed through possible spammer relay or source +score SARE_RECV_IP_219128 1.666 +#hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004 +#counts SARE_RECV_IP_219128 381s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_219128 114s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_219128 79s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_219128 52s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_IP_219128 36s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_219128 116s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_220116 Passed through possible spammer relay or source +score SARE_RECV_IP_220116 1.666 +#ham SARE_RECV_IP_220116 confirmed (1) +#hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004 +#note SARE_RECV_IP_220116 Korea Telecom +#counts SARE_RECV_IP_220116 180s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_220116 192s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_220116 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_220116 23s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_IP_220116 206s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_220116 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_221124 Spam passed through possible spammer relay +score SARE_RECV_IP_221124 1.666 +#hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004 +#counts SARE_RECV_IP_221124 91s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_221124 88s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_221124 4s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_221124 15s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_221124 56s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_221124 119s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222000 Passed through possible spammer relay or source +score SARE_RECV_IP_222000 1.508 +#ham SARE_RECV_IP_222000 confirmed (1) +#hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004 +#counts SARE_RECV_IP_222000 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222000 80s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_222000 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#counts SARE_RECV_IP_222000 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222000 133s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_222000 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_222064 Spam passed through possible spammer relay +score SARE_RECV_IP_222064 1.666 +#ham SARE_RECV_IP_222064 verified (1) +#hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004 +#counts SARE_RECV_IP_222064 115s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_RECV_IP_222064 54s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05 +#counts SARE_RECV_IP_222064 189s/1h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_RECV_IP_222064 17s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_222064 352s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_222064 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +##################################################################################### +# SARE Reply-To Rules +######## ###################### ################################################## + +##################################################################################### +# SARE To/Cc Destination rules +######## ###################### ################################################## + +header SARE_TO_EMPTY To =~ /<>/ +describe SARE_TO_EMPTY To address is set to empty +#core SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER +score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER +#hist SARE_TO_EMPTY Originally submitted by Bob Menschel +#overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128 +#counts SARE_TO_EMPTY 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/ +describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer +score SARE_XMAIL_PSSMAILER 1.111 +#stype SARE_XMAIL_PSSMAILER spamp +#hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer +#counts SARE_XMAIL_PSSMAILER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04 +#counts SARE_XMAIL_PSSMAILER 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/ +describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers +score SARE_XMAIL_RLSP 0.740 +#ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2) +#hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004 +#counts SARE_XMAIL_RLSP 26s/4h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_RLSP 52s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_RLSP 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_XMAIL_RLSP 68s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_XMAIL_RLSP 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/ +score SARE_HEAD_DATE14 0.847 +#counts SARE_HEAD_DATE14 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE14 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE14 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_DATE14 2s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_HEAD_DATE46 Date =~ /^.{46}$/ +describe SARE_HEAD_DATE46 Date header suggests this is spam +score SARE_HEAD_DATE46 1.666 +#ham SARE_HEAD_DATE46 Confirmed (1) +#counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE46 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE46 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __MIME_VERSION exists:MIME-Version +header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b' +meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION +describe SARE_HEAD_MIME_INVALID Invalid mime version +score SARE_HEAD_MIME_INVALID 1.116 +#ham SARE_HEAD_MIME_INVALID confirmed +#hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2005, inspired by Alex Broens +#counts SARE_HEAD_MIME_INVALID 433s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_HEAD_MIME_INVALID 7s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06 +#counts SARE_HEAD_MIME_INVALID 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#counts SARE_HEAD_MIME_INVALID 0s/5h of 15713 corpus (7767s/7946h FT) 05/14/06 +#counts SARE_HEAD_MIME_INVALID 172s/0h of 105832 corpus (72573s/33259h ML) 05/14/06 + +header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i +describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header +score SARE_HEAD_ORG_PREFIXW 0.617 +#hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/ +describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam +score SARE_HEAD_XLIB_INDY1 0.844 +#hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04 +#counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/ +describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam +score SARE_HEAD_XLIB_INDY2 1.272 +#ham SARE_HEAD_XLIB_INDY2 verified (1) +#hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004 +#counts SARE_HEAD_XLIB_INDY2 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_HEAD_XLIB_INDY2 91s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_XLIB_INDY2 30s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i +describe SARE_HEAD_XUNSENT Found spamsign header +score SARE_HEAD_XUNSENT 1.666 +#hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005 +#counts SARE_HEAD_XUNSENT 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XUNSENT 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06 +#counts SARE_HEAD_XUNSENT 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HEAD_XUNSENT 126s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_XUNSENT 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#max SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05 +#counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/ +describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header +score SARE_HEAD_8BIT_DATE 1.666 +#hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243 +#ham SARE_HEAD_8BIT_DATE verified (1) +#counts SARE_HEAD_8BIT_DATE 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_DATE 116s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +#counts SARE_HEAD_8BIT_DATE 71s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 +#counts SARE_HEAD_8BIT_DATE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_HEAD_8BIT_DATE 65s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i +describe SARE_MULT_VIA_CITIZNET header references apparent spam source +score SARE_MULT_VIA_CITIZNET 1.394 +#ham SARE_MULT_VIA_CITIZNET confirmed (2) +#hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004 +#counts SARE_MULT_VIA_CITIZNET 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MULT_VIA_CITIZNET 60s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04 +#counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MULT_VIA_CITIZNET 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_MULT_VIA_CITIZNET 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_MULT_VIA_CITIZNET 13s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + + +# EOF + diff --git a/common/sare/70_sare_header2.cf b/common/sare/70_sare_header2.cf new file mode 100644 index 0000000..37e1252 --- /dev/null +++ b/common/sare/70_sare_header2.cf @@ -0,0 +1,1632 @@ +# SARE Header Abuse Ruleset for SpamAssassin -- file 2 +# Version: 01.03.21 +# Created: 2004-04-25 +# Modified: 2006-05-21 +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.20 May 20 2005 +#@@# Minor score updates based on additional mass-check +#@@# Modified "rule has been moved" meta flags +#@@# Moved file 0 to file 2 SARE_BOUNDARY_02 +#@@# Moved file 0 to file 2 SARE_BOUNDARY_ANYDIG +#@@# Moved file 0 to file 2 SARE_BOUNDARY_D11 +#@@# Moved file 0 to file 2 SARE_FROM_SPAM_NAME2 +#@@# Moved file 0 to file 2 SARE_FROM_WSJ +#@@# Moved file 0 to file 2 SARE_HEAD_BDY_BOUNCES %%% OR ARCHIVE +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_CONVER +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_NLETRID +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_PID +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XBNCETR +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XGMAILA +#@@# Moved file 0 to file 2 SARE_HEAD_HDR_XIDSRVR +#@@# Moved file 0 to file 2 SARE_HEAD_THRD_ALNUM +#@@# Moved file 0 to file 2 SARE_HEAD_XM4 +#@@# Moved file 0 to file 2 SARE_HEAD_XMF_AUTHSNDR +#@@# Moved file 0 to file 2 SARE_HELO_MAILUSER +#@@# Moved file 0 to file 2 SARE_MSGID_HEX30 +#@@# Moved file 0 to file 2 SARE_MULT_SEXCLUB +#@@# Moved file 0 to file 2 SARE_MULT_SUBJ +#@@# Moved file 0 to file 2 SARE_RECV_IP_004078 +#@@# Moved file 0 to file 2 SARE_RECV_IP_038112147 +#@@# Moved file 0 to file 2 SARE_RECV_IP_064192082 +#@@# Moved file 0 to file 2 SARE_RECV_IP_066063 +#@@# Moved file 0 to file 2 SARE_RECV_IP_066114a +#@@# Moved file 0 to file 2 SARE_RECV_IP_066159017 +#@@# Moved file 0 to file 2 SARE_RECV_IP_069060122 +#@@# Moved file 0 to file 2 SARE_RECV_IP_070096177 +#@@# Moved file 0 to file 2 SARE_RECV_IP_207182 +#@@# Moved file 0 to file 2 SARE_RECV_IP_208048182 +#@@# Moved file 0 to file 2 SARE_RECV_IP_216055133 +#@@# Moved file 0 to file 2 SARE_RECV_LOCALHOST +#@@# Moved file 0 to file 2 SARE_RECV_SUSP_2 +#@@# Moved file 0 to file 2 SARE_RECV_TRADVALUES +#@@# Moved file 0 to file 2 SARE_RECV_VIPLIST +#@@# Moved file 0 to file 2 SARE_RECV_XACTRIX +#@@# Moved file 0 to file 2 SARE_REPLY_XACTRIX +#@@# Moved file 0 to file 2 SARE_XMAIL_DIRUNIV +#@@# Moved file 0 to file 2 SARE_XMAIL_INTERMED +#@@# Moved file 0 to file 2 SARE_XMAIL_LEO +#@@# Moved file 0 to file 2 SARE_XMAIL_PHPBulkEmai +#@@# Moved file 0 to file 3 SARE_RECV_ADDR5 +#@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE +#@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI +#@@# Moved file 1 to file 2 SARE_RECV_IP_062023 +#@@# Moved file 1 to file 2 SARE_RECV_IP_065205157 +#@@# Moved file 1 to file 2 SARE_RECV_IP_066248154 +#@@# Moved file 1 to file 2 SARE_RECV_IP_206248152 +#@@# Moved file 1 to file 2 SARE_RECV_RND_DATE +#@@# Moved file 1 to file 2 SARE_XMAIL_GDI +#@@# Moved file 2 to file 0 SARE_HEAD_HDR_CONVWLS +#@@# Moved file 2 to file 0 SARE_HEAD_SUBJ_RAND +#@@# Moved file 2 to file 0 SARE_HEAD_XORIP_IP +#@@# Moved file 2 to file 3 SARE_MULT_RATW_03 +#@@# Returned file 2 to file 0 SARE_HEAD_HDR_EPATH +#@@# Returned file 2 to file 0 SARE_RECV_IP_063111025 +#@@# Returned file 2 to file 1 SARE_RECV_IP_142046 +#@@# 01.03.21 May 21 2005 +#@@# Minor repairs to "downgraded rule" metas. + +######## ###################### ################################################## +# Meta rules used to prevent --lint errors after moving/changing rules +######## ###################### ################################################## + +meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM +meta SARE_MULT_RATW_03 __SARE_HEAD_FALSE + +######## ###################### ################################################## +# Component rules used within meta rules +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/ + +##################################################################################### +# SARE Header-Exists rules +######## ###################### ################################################## + +header SARE_HEAD_HDR_CONVER exists:Conversion +describe SARE_HEAD_HDR_CONVER Message headers used which identify spam +score SARE_HEAD_HDR_CONVER 1.111 +#stype SARE_HEAD_HDR_CONVER spamp +#counts SARE_HEAD_HDR_CONVER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_CONVER 54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_CONVER 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_HEAD_HDR_CONVER 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_HEAD_HDR_CONVER 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_CONVER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +header SARE_HEAD_HDR_JLH exists:X-JLH +describe SARE_HEAD_HDR_JLH Message headers used which identify spam +score SARE_HEAD_HDR_JLH 1.111 +#stype SARE_HEAD_HDR_JLH spamp +#counts SARE_HEAD_HDR_JLH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_HEAD_HDR_JLH 71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_JLH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_HDR_JLH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +header SARE_HEAD_HDR_MSGTYPE exists:Message-Type +describe SARE_HEAD_HDR_MSGTYPE Message headers used which identify spam +score SARE_HEAD_HDR_MSGTYPE 0.555 +#stype SARE_HEAD_HDR_MSGTYPE spamp +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_MSGTYPE 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_NLETRID exists:Newsletter-ID +describe SARE_HEAD_HDR_NLETRID Message headers used which identify spam +score SARE_HEAD_HDR_NLETRID 1.666 +#stype SARE_HEAD_HDR_NLETRID spamp +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#max SARE_HEAD_HDR_NLETRID 173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_HEAD_HDR_NLETRID 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_HEAD_HDR_NLETRID 28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_NLETRID 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_NLETRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_PID exists:PID +describe SARE_HEAD_HDR_PID Message headers used which identify spam +score SARE_HEAD_HDR_PID 1.666 +#stype SARE_HEAD_HDR_PID spamp +#counts SARE_HEAD_HDR_PID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_PID 139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_PID 36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HEAD_HDR_PID 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_HDR_PID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_REDIRTO exists:Redirect-to +describe SARE_HEAD_HDR_REDIRTO Message headers used which identify spam +score SARE_HEAD_HDR_REDIRTO 0.555 +#stype SARE_HEAD_HDR_REDIRTO spamp +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_REDIRTO 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_REDIRTO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_ROT exists:Rot +describe SARE_HEAD_HDR_ROT Message headers used which identify spam +score SARE_HEAD_HDR_ROT 0.555 +#stype SARE_HEAD_HDR_ROT spamp +#counts SARE_HEAD_HDR_ROT 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_ROT 3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_ROT 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_ROT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_RTNPATH exists:List-Return-Path +describe SARE_HEAD_HDR_RTNPATH Message headers used which identify spam +score SARE_HEAD_HDR_RTNPATH 1.111 +#stype SARE_HEAD_HDR_RTNPATH spamp +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_HEAD_HDR_RTNPATH 32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_RTNPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_WCMSGID exists:WcMessage-ID +describe SARE_HEAD_HDR_WCMSGID Message headers used which identify spam +score SARE_HEAD_HDR_WCMSGID 0.555 +#stype SARE_HEAD_HDR_WCMSGID spamp +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_WCMSGID 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_WCMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_X400MTI exists:X400-MTS-Identifier +describe SARE_HEAD_HDR_X400MTI Message headers used which identify spam +score SARE_HEAD_HDR_X400MTI 0.555 +#stype SARE_HEAD_HDR_X400MTI spamp +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_X400MTI 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_X400MTI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_X400RCV exists:X400-Received +describe SARE_HEAD_HDR_X400RCV Message headers used which identify spam +score SARE_HEAD_HDR_X400RCV 0.555 +#stype SARE_HEAD_HDR_X400RCV spamp +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_X400RCV 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_X400RCV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XAR exists:X-AR +describe SARE_HEAD_HDR_XAR Message headers used which identify spam +score SARE_HEAD_HDR_XAR 0.555 +#stype SARE_HEAD_HDR_XAR spamp +#counts SARE_HEAD_HDR_XAR 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_HDR_XAR 2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04 +#counts SARE_HEAD_HDR_XAR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XAR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XAR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XAR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XAUTGEN exists:X-Auto-Generated +describe SARE_HEAD_HDR_XAUTGEN Message headers used which identify spam +score SARE_HEAD_HDR_XAUTGEN 0.555 +#stype SARE_HEAD_HDR_XAUTGEN spamp +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XAUTGEN 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XBNCETR exists:X-BounceTrace +describe SARE_HEAD_HDR_XBNCETR Message headers used which identify spam +score SARE_HEAD_HDR_XBNCETR 1.111 +#stype SARE_HEAD_HDR_XBNCETR spamp +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XBNCETR 96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XBNCETR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCNDINF exists:X-CND-Info +describe SARE_HEAD_HDR_XCNDINF Message headers used which identify spam +score SARE_HEAD_HDR_XCNDINF 0.555 +#stype SARE_HEAD_HDR_XCNDINF spamp +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XCNDINF 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCNDINF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XCROSS exists:X-cross +describe SARE_HEAD_HDR_XCROSS Message headers used which identify spam +score SARE_HEAD_HDR_XCROSS 0.100 +#stype SARE_HEAD_HDR_XCROSS spamp +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XCROSS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XEMGBMS exists:X-EMailGateBouncedMessage +describe SARE_HEAD_HDR_XEMGBMS Message headers used which identify spam +score SARE_HEAD_HDR_XEMGBMS 0.555 +#stype SARE_HEAD_HDR_XEMGBMS spamp +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_HEAD_HDR_XEMGBMS 6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XGMAILA exists:X-Gmail-Account +describe SARE_HEAD_HDR_XGMAILA Message headers used which identify spam +score SARE_HEAD_HDR_XGMAILA 1.111 +#stype SARE_HEAD_HDR_XGMAILA spamp +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XGMAILA 20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XGMAILA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XIDSRVR exists:X-Identity-Server +describe SARE_HEAD_HDR_XIDSRVR Message headers used which identify spam +score SARE_HEAD_HDR_XIDSRVR 1.111 +#stype SARE_HEAD_HDR_XIDSRVR spamp +#hist SARE_HEAD_HDR_XIDSRVR Bob Menschel, June 3 2005, idea by Alex Broens +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XIDSRVR 15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 + +header SARE_HEAD_HDR_XLC exists:X-L-C +describe SARE_HEAD_HDR_XLC Message headers used which identify spam +score SARE_HEAD_HDR_XLC 0.100 +#stype SARE_HEAD_HDR_XLC spamp +#counts SARE_HEAD_HDR_XLC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XLC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XLIDCOD exists:X-LIDCode +describe SARE_HEAD_HDR_XLIDCOD Message headers used which identify spam +score SARE_HEAD_HDR_XLIDCOD 0.100 +#stype SARE_HEAD_HDR_XLIDCOD spamp +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMISCID exists:X-Misc_ID +describe SARE_HEAD_HDR_XMISCID Message headers used which identify spam +score SARE_HEAD_HDR_XMISCID 0.100 +#stype SARE_HEAD_HDR_XMISCID spamp +#hist SARE_HEAD_HDR_XMISCID FH_XMISCID +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMISCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMLCIPH exists:X-mlcipher +describe SARE_HEAD_HDR_XMLCIPH Message headers used which identify spam +score SARE_HEAD_HDR_XMLCIPH 0.100 +#stype SARE_HEAD_HDR_XMLCIPH spamp +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMLMSGI exists:X-mlmsgid +describe SARE_HEAD_HDR_XMLMSGI Message headers used which identify spam +score SARE_HEAD_HDR_XMLMSGI 0.100 +#stype SARE_HEAD_HDR_XMLMSGI spamp +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMAGDID exists:X-magdalene-ID +describe SARE_HEAD_HDR_XMAGDID Message headers used which identify spam +score SARE_HEAD_HDR_XMAGDID 0.555 +#stype SARE_HEAD_HDR_XMAGDID spamp +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XMAGDID 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMAGDID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMPM exists:X-mpm +describe SARE_HEAD_HDR_XMPM Message headers used which identify spam +score SARE_HEAD_HDR_XMPM 0.100 +#stype SARE_HEAD_HDR_XMPM spamp +#counts SARE_HEAD_HDR_XMPM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMPM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XMS exists:X-ms +describe SARE_HEAD_HDR_XMS Message headers used which identify spam +score SARE_HEAD_HDR_XMS 0.100 +#stype SARE_HEAD_HDR_XMS spamp +#counts SARE_HEAD_HDR_XMS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XNOSPAM exists:X-No-Spam +describe SARE_HEAD_HDR_XNOSPAM Message headers used which identify spam +score SARE_HEAD_HDR_XNOSPAM 1.111 +#stype SARE_HEAD_HDR_XNOSPAM spamp +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05 +#max SARE_HEAD_HDR_XNOSPAM 12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XNOSPAM 4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XNTC exists:X-ntc +describe SARE_HEAD_HDR_XNTC Message headers used which identify spam +score SARE_HEAD_HDR_XNTC 0.100 +#stype SARE_HEAD_HDR_XNTC spamp +#counts SARE_HEAD_HDR_XNTC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XNTC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPOPB4S exists:X-Pop-Before-SMTP-Sender +describe SARE_HEAD_HDR_XPOPB4S Message headers used which identify spam +score SARE_HEAD_HDR_XPOPB4S 0.555 +#stype SARE_HEAD_HDR_XPOPB4S spamp +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#max SARE_HEAD_HDR_XPOPB4S 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPOPFLK exists:X-POPFile-Link +describe SARE_HEAD_HDR_XPOPFLK Message headers used which identify spam +score SARE_HEAD_HDR_XPOPFLK 0.555 +#stype SARE_HEAD_HDR_XPOPFLK spamp +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XPOPFLK 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMS exists:X-Prioserve-MailScanner +describe SARE_HEAD_HDR_XPRIOMS Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMS 0.555 +#stype SARE_HEAD_HDR_XPRIOMS spamp +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMS 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMF exists:X-Prioserve-MailScanner-From +describe SARE_HEAD_HDR_XPRIOMF Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMF 0.555 +#stype SARE_HEAD_HDR_XPRIOMF spamp +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMF 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPRIOMI exists:X-Prioserve-MailScanner-Information +describe SARE_HEAD_HDR_XPRIOMI Message headers used which identify spam +score SARE_HEAD_HDR_XPRIOMI 0.555 +#stype SARE_HEAD_HDR_XPRIOMI spamp +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPRIOMI 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XPIROMC exists:X-Prioserve-MailScanner-SpamCheck +describe SARE_HEAD_HDR_XPIROMC Message headers used which identify spam +score SARE_HEAD_HDR_XPIROMC 0.555 +#stype SARE_HEAD_HDR_XPIROMC spamp +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#max SARE_HEAD_HDR_XPIROMC 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XPIROMC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRBLTST exists:X-RBL-TST +describe SARE_HEAD_HDR_XRBLTST Message headers used which identify spam +score SARE_HEAD_HDR_XRBLTST 0.555 +#stype SARE_HEAD_HDR_XRBLTST spamp +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 +#max SARE_HEAD_HDR_XRBLTST 2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRBLTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XREC exists:X-Rec +describe SARE_HEAD_HDR_XREC Message headers used which identify spam +score SARE_HEAD_HDR_XREC 2.222 +#stype SARE_HEAD_HDR_XREC spamp +#counts SARE_HEAD_HDR_XREC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XREC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XREC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XRIPE exists:X-RIPE +describe SARE_HEAD_HDR_XRIPE Message headers used which identify spam +score SARE_HEAD_HDR_XRIPE 1.111 +#stype SARE_HEAD_HDR_XRIPE spamp +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XRIPE 16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XRIPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSAFMMI exists:X-SafeMailer-MsgId +describe SARE_HEAD_HDR_XSAFMMI Message headers used which identify spam +score SARE_HEAD_HDR_XSAFMMI 0.555 +#stype SARE_HEAD_HDR_XSAFMMI spamp +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_HDR_XSAFMMI 1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSPAMSC exists:X-Spam-Score +describe SARE_HEAD_HDR_XSPAMSC Message headers used which identify spam +score SARE_HEAD_HDR_XSPAMSC 0.555 +#stype SARE_HEAD_HDR_XSPAMSC spamp +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_HEAD_HDR_XSPAMSC 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSRK exists:X-srk +describe SARE_HEAD_HDR_XSRK Message headers used which identify spam +score SARE_HEAD_HDR_XSRK 0.100 +#stype SARE_HEAD_HDR_XSRK spamp +#counts SARE_HEAD_HDR_XSRK 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSRK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XSUBID exists:X-SubID +describe SARE_HEAD_HDR_XSUBID Message headers used which identify spam +score SARE_HEAD_HDR_XSUBID 0.555 +#stype SARE_HEAD_HDR_XSUBID spamp +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05 +#max SARE_HEAD_HDR_XSUBID 3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XSUBID 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XSUBID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XTRANS exists:X-Trans +describe SARE_HEAD_HDR_XTRANS Message headers used which identify spam +score SARE_HEAD_HDR_XTRANS 0.100 +#stype SARE_HEAD_HDR_XTRANS spamp +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTRANS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XTXTCLS exists:X-Text-Classification +describe SARE_HEAD_HDR_XTXTCLS Message headers used which identify spam +score SARE_HEAD_HDR_XTXTCLS 0.555 +#stype SARE_HEAD_HDR_XTXTCLS spamp +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 +#max SARE_HEAD_HDR_XTXTCLS 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XVIG exists:X-Vig +describe SARE_HEAD_HDR_XVIG Message headers used which identify spam +score SARE_HEAD_HDR_XVIG 0.100 +#stype SARE_HEAD_HDR_XVIG spamp +#counts SARE_HEAD_HDR_XVIG 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XVIG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XYD exists:X-yd +describe SARE_HEAD_HDR_XYD Message headers used which identify spam +score SARE_HEAD_HDR_XYD 0.100 +#stype SARE_HEAD_HDR_XYD spamp +#counts SARE_HEAD_HDR_XYD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XYD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XYD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XYD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XYD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XI exists:X-I +describe SARE_HEAD_HDR_XI Message headers used which identify spam +score SARE_HEAD_HDR_XI 0.100 +#stype SARE_HEAD_HDR_XI spamp +#counts SARE_HEAD_HDR_XI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HEAD_HDR_XIM exists:X-IM +describe SARE_HEAD_HDR_XIM Message headers used which identify spam +score SARE_HEAD_HDR_XIM 0.100 +#stype SARE_HEAD_HDR_XIM spamp +#counts SARE_HEAD_HDR_XIM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 +#counts SARE_HEAD_HDR_XIM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 +#counts SARE_HEAD_HDR_XIM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_HDR_XIM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_HDR_XIM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header SARE_BOUNDARY_01 Content-Type =~ /boundary==?\".{0,}XXXX-/ +describe SARE_BOUNDARY_01 Spam tool pattern in MIME boundary +score SARE_BOUNDARY_01 0.100 +#hist SARE_BOUNDARY_01 L.MIME_BOUND_SIMPLE +#counts SARE_BOUNDARY_01 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_BOUNDARY_01 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_01 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_02 Content-Type =~ /boundary\=('|\")?\~{10,}/ +describe SARE_BOUNDARY_02 Too many ~'s in the boundary. +score SARE_BOUNDARY_02 0.650 +#hist SARE_BOUNDARY_02 MY_BOUNDARY2 +#counts SARE_BOUNDARY_02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_02 51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_BOUNDARY_02 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_BOUNDARY_02 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_BOUNDARY_02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_BOUNDARY_ANYDIG Content-Type =~ /boundary="--.*\[\d\]/i +describe SARE_BOUNDARY_ANYDIG Content type boundary used in spam and viruses +score SARE_BOUNDARY_ANYDIG 1.666 +#hist SARE_BOUNDARY_ANYDIG Created by Bob Menschel May 7 2005, suggested by Alex Broens +#counts SARE_BOUNDARY_ANYDIG 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_ANYDIG 282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_BOUNDARY_ANYDIG 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_ANYDIG 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_ANYDIG 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_BOUNDARY_ANYDIG 85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_BOUNDARY_ANYDIG 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_BOUNDARY_D11 Content-Type =~ /boundary="\d{11}"/ +describe SARE_BOUNDARY_D11 Content type boundary used in spam or virus +score SARE_BOUNDARY_D11 1.666 +#stype SARE_BOUNDARY_D11 spamp +#hist SARE_BOUNDARY_D11 Created by Bob Menschel May 31 2004 +#counts SARE_BOUNDARY_D11 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_BOUNDARY_D11 112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_BOUNDARY_D11 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_BOUNDARY_D11 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_BOUNDARY_D11 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_BOUNDARY_D11 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_BOUNDARY_D11 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +full SARE_CONTENT_BITBITNUM /\nContent-Encoding: BitBitNUM\n/ +describe SARE_CONTENT_BITBITNUM Unlikely content encoding +score SARE_CONTENT_BITBITNUM 1.406 +#hist SARE_CONTENT_BITBITNUM Loren Wilton, Feb 1 2005 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_CONTENT_BITBITNUM 153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05 +#counts SARE_CONTENT_BITBITNUM 64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_CONTENT_BITBITNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header SARE_FROM_AMERICA From =~ /[^\-]\bamerica\.com\b/i +describe SARE_FROM_AMERICA From user address is used by spammer +score SARE_FROM_AMERICA 1.111 +#stype SARE_FROM_AMERICA spamp +#hist SARE_FROM_AMERICA Created by Bob Menschel Sep 24 2004 +#counts SARE_FROM_AMERICA 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05 +#max SARE_FROM_AMERICA 5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05 +#counts SARE_FROM_AMERICA 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_FROM_AMERICA 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_AMERICA 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_FROM_AMERICA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_AMERICA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_DOMN2 From =~ /\@wses\.(?:com|org)/i +describe SARE_FROM_SPAM_DOMN2 From address suggests this is spam +score SARE_FROM_SPAM_DOMN2 0.100 +#stype SARE_FROM_SPAM_DOMN2 spamp +#hist SARE_FROM_SPAM_DOMN2 RM_fa_wses +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_SPAM_DOMN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_NAME2 From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|koldny|propecia|thedailyfreesamples)/i +describe SARE_FROM_SPAM_NAME2 From address suggests this is spam +score SARE_FROM_SPAM_NAME2 1.666 +#stype SARE_FROM_SPAM_NAME2 spamp +#hist SARE_FROM_SPAM_NAME2 COMBINED.FROM and other sources +#counts SARE_FROM_SPAM_NAME2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_SPAM_NAME2 140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_NAME2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FROM_SPAM_NAME2 16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_VIRUS1 ALL=~ /From:\ssupport\@microsoft.com/ +describe SARE_FROM_VIRUS1 From address suggests this is a virus +score SARE_FROM_VIRUS1 3.333 +#stype SARE_FROM_VIRUS1 vbgg +#counts SARE_FROM_VIRUS1 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05 +#max SARE_FROM_VIRUS1 21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05 +#counts SARE_FROM_VIRUS1 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_VIRUS1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_VIRUS1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_FROM_WSJ From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i +meta SARE_FROM_WSJ __SARE_FROM_WSJ && __SARE_WHITELIST_FLAG && !USER_IN_WHITELIST +score SARE_FROM_WSJ 1.666 +#hist SARE_FROM_WSJ Matt Yackley, Apr 15 2005, expanded by Bob Menschel +#hist SARE_FROM_WSJ Dec 24 2005: Added real WSJ whitelist entry to 70_sare_whitelist.cf; added whitelist flags to new meta to force this rule to NOT hit if this is actually the WSJ. +#counts SARE_FROM_WSJ 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_WSJ 86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_FROM_WSJ 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06 +#max SARE_FROM_WSJ 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_WSJ 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_FROM_WSJ 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05 +#counts SARE_FROM_WSJ 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_FROM_WSJ 258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_WSJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_Iamfi From =~ /\biamfinallyonline\.com/i +describe SARE_FREE_WEBM_Iamfi Sender used free email account - may be spammer +score SARE_FREE_WEBM_Iamfi 0.555 +#stype SARE_FREE_WEBM_Iamfi spamp +#hist SARE_FREE_WEBM_Iamfi Created by Bob Menschel Apr 09 2004 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_FREE_WEBM_Iamfi 3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_FREE_WEBM_Iamfi 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_Iamfi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_USACOPS From =~ /\@usacops\.com/i +describe SARE_FREE_WEBM_USACOPS Maybe spammer with free email +score SARE_FREE_WEBM_USACOPS 0.555 +#stype SARE_FREE_WEBM_USACOPS spamp +#hist SARE_FREE_WEBM_USACOPS Created by Bob Menschel Feb 24 2005 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05 +#max SARE_FREE_WEBM_USACOPS 2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_FREE_WEBM_USACOPS 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_USACOPS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_06D6 MESSAGEID =~ /<0{6}\d{6}\$\d/ +describe SARE_MSGID_06D6 Message-ID has ratware pattern (000009999$9) +score SARE_MSGID_06D6 1.061 +#counts SARE_MSGID_06D6 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_MSGID_06D6 91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04 +#counts SARE_MSGID_06D6 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_06D6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_06D6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_06D6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i +meta SARE_MSGID_ALL_CAPHM __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS +describe SARE_MSGID_ALL_CAPHM Ratware all-caps message-id +score SARE_MSGID_ALL_CAPHM 1.666 +#stype SARE_MSGID_ALL_CAPHM spamg +#hist SARE_MSGID_ALL_CAPHM Created by Bob Menschel May 15 2004 +#note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04 +#max SARE_MSGID_ALL_CAPHM 1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_ALL_CAPHM 1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_ALL_CAPHM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ # no /i +meta SARE_MSGID_ALL_CAPMS __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS +describe SARE_MSGID_ALL_CAPMS Ratware all-caps message-id +score SARE_MSGID_ALL_CAPMS 1.666 +#hist SARE_MSGID_ALL_CAPMS Created by Bob Menschel May 15 2004 +#note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_ALL_CAPMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_H7H4H4 MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/ +describe SARE_MSGID_H7H4H4 Message-ID has ratware pattern (7hex$4hex$4hex@) +score SARE_MSGID_H7H4H4 0.222 +#counts SARE_MSGID_H7H4H4 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_MSGID_H7H4H4 2s/0h of 115439 corpus (94250s/21189h) 04/30/04 +#counts SARE_MSGID_H7H4H4 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MSGID_H7H4H4 2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_H7H4H4 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_MSGID_H7H4H4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_H7H4H4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_MSGID_HEX30 MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/ +describe SARE_MSGID_HEX30 Message-ID has ratware pattern (HEXHEXHEX$9x9@) +score SARE_MSGID_HEX30 1.666 +#counts SARE_MSGID_HEX30 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_HEX30 18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05 +#counts SARE_MSGID_HEX30 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06 +#max SARE_MSGID_HEX30 235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_MSGID_HEX30 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06 +#max SARE_MSGID_HEX30 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_MSGID_HEX30 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_MSGID_HEX30 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 + +header SARE_MSGID_SPAM_DOMN0 MESSAGEID =~ /\bjeanvaljean\.com/i +describe SARE_MSGID_SPAM_DOMN0 Message ID implies possible spammer relay +score SARE_MSGID_SPAM_DOMN0 1.666 +#stype SARE_MSGID_SPAM_DOMN0 spamg +#hist SARE_MSGID_SPAM_DOMN0 Created by Bob Menschel Mar 22 2004 +#hist SARE_MSGID_SPAM_DOMN0 Removed moosq.com, since now in specific.cf +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_MSGID_SPAM_DOMN0 1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header MSGID_SPAM_ALPHA_NUM MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/ +header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/ +header __SARE_MSGID_SUSP2 MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/ +meta SARE_MSGID_SUSP2 __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM +describe SARE_MSGID_SUSP2 Message-Id is +score SARE_MSGID_SUSP2 3.000 +#hist SARE_MSGID_SUSP2 Loren Wilton, LW_BOGUS_MSGID6 +#hist SARE_MSGID_SUSP2 Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude +#V300 SARE_MSGID_SUSP2 strong overlap with MSGID_SPAM_ALPHA_NUM +#counts SARE_MSGID_SUSP2 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05 +#alone SARE_MSGID_SUSP2 174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#max SARE_MSGID_SUSP2 9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04 +#counts SARE_MSGID_SUSP2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_MSGID_SUSP2 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_SUSP2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MSGID_SUSP2 187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_MSGID_SUSP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_SUSP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_AOLID Received =~ /helo=aol\.com ident=/ +describe SARE_HELO_AOLID Spam passed through apparent spammer relay +score SARE_HELO_AOLID 0.611 +#counts SARE_HELO_AOLID 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_HELO_AOLID 10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_HELO_AOLID 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HELO_AOLID 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_AOLID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_AOLID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_MAILUSER Received =~ /helo=MailUser\)/i +describe SARE_HELO_MAILUSER Received header has possible spamsign +score SARE_HELO_MAILUSER 1.111 +#stype SARE_HELO_MAILUSER spamp +#hist SARE_HELO_MAILUSER Created by Bob Menschel May 31 2004 +#counts SARE_HELO_MAILUSER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_MAILUSER 12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#counts SARE_HELO_MAILUSER 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_HELO_MAILUSER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_MAILUSER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HELO_MAILUSER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR2 Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/ +describe SARE_RECV_ADDR2 Received header missing a FQDN, IP only. +score SARE_RECV_ADDR2 0.100 +#counts SARE_RECV_ADDR2 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR3 Received =~ /^from \(.?\[.?\].?\)\b/ +describe SARE_RECV_ADDR3 Received header contains an empty Recieved IP. +score SARE_RECV_ADDR3 0.100 +#counts SARE_RECV_ADDR3 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR3 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR3 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ADDR4 Received =~ /^from unknown \(\w+ \w+\)\b/ +describe SARE_RECV_ADDR4 Received contains unknown FQDN with possible HELO. +score SARE_RECV_ADDR4 0.100 +#counts SARE_RECV_ADDR4 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ADDR4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_RECV_CHAR_DASHS Received =~ /---/ +header __SARE_RECV_CHAR_DOTS Received =~ /\.\./ +meta SARE_RECV_CHAR_DSHDT __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS +describe SARE_RECV_CHAR_DSHDT Strange dashes and dots in received line +score SARE_RECV_CHAR_DSHDT 0.500 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#max SARE_RECV_CHAR_DSHDT 7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_CHAR_DSHDT 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_CHAR_DSHDT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_ESMTP Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; / +describe SARE_RECV_ESMTP Received header has forged lowercase 'esmtp' relay +score SARE_RECV_ESMTP 0.100 +#counts SARE_RECV_ESMTP 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ESMTP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_ESMTP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ESMTP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i +describe SARE_RECV_LOCALHOST fingerprint +score SARE_RECV_LOCALHOST 1.111 +#stype SARE_RECV_LOCALHOST spamp +#hist SARE_RECV_LOCALHOST Alex Broens, June 2005 +#counts SARE_RECV_LOCALHOST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_LOCALHOST 77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05 +#counts SARE_RECV_LOCALHOST 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_LOCALHOST 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 + +header SARE_RECV_RANDOM Received =~ /helo[ =].{1,30} +#counts SARE_FROM_PHRASE 18s/4h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_PHRASE 222s/88h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_PHRASE 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FROM_PHRASE 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FROM_PHRASE 39s/2h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FROM_PHRASE 14s/6h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FROM_PHRASE 17s/5h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FROM_PHRASE 5s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_FROM_PHRASE 6s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_FROM_PHRASE 53s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_PHRASE 3s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 + +header SARE_FROM_PRINTER From =~ /\bprinter\b/i +describe SARE_FROM_PRINTER From user address seems to contain spam topic +score SARE_FROM_PRINTER 0.444 +#counts SARE_FROM_PRINTER 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_PRINTER 98s/4h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_FROM_PRINTER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_PRINTER 3s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FROM_PRINTER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FROM_PRINTER 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FROM_PRINTER 190s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_FROM_PRINTER 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FROM_PRINTER 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_PRINTER 20s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_PRINTER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_QUOTE From =~ /quote/i +describe SARE_FROM_QUOTE From name/address has "quote" as part of it +score SARE_FROM_QUOTE 0.473 +#hist SARE_FROM_QUOTE Fred Tarasevicius, FH_FROM_QUOTE +#ham SARE_FROM_QUOTE resume from email account at intelliquote.com, hostquote@webhostdir.com +#ham SARE_FROM_QUOTE WisdomToday.com +#counts SARE_FROM_QUOTE 268s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_QUOTE 419s/83h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_QUOTE 84s/17h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_FROM_QUOTE 8s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FROM_QUOTE 16s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_QUOTE 374s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_QUOTE 70s/3h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FROM_QUOTE 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_QUOTE 28s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FROM_QUOTE 69s/1h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FROM_QUOTE 282s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_FROM_SPAM_CHAR0a From =~ /^\?/i +describe SARE_FROM_SPAM_CHAR0a Sender name has unexpected or invalid characters +score SARE_FROM_SPAM_CHAR0a 0.636 +#counts SARE_FROM_SPAM_CHAR0a 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_SPAM_CHAR0a 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR0a 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_CHAR0a 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_CHAR0a 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FROM_SPAM_CHAR0a 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_SPAM_CHAR0a 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FROM_SPAM_CHAR0a 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SPAM_CHAR0a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FROM_SPAM_CHAR0b From =~ /^\$/i +describe SARE_FROM_SPAM_CHAR0b Sender name has unexpected or invalid characters +score SARE_FROM_SPAM_CHAR0b 0.636 +#counts SARE_FROM_SPAM_CHAR0b 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_SPAM_CHAR0b 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR0b 10s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_FROM_SPAM_CHAR0b 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FROM_SPAM_CHAR0b 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SPAM_CHAR0b 102s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_SPAM_CHAR0b 1s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FROM_SPAM_CHAR0b 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FROM_SPAM_CHAR0b 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SPAM_CHAR0b 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FROM_SPAM_CHAR0b 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_FROM_SPAM_CHAR5 From =~ /zzz/i +describe SARE_FROM_SPAM_CHAR5 Sender name has unlikely character string +score SARE_FROM_SPAM_CHAR5 0.640 +#ham SARE_FROM_SPAM_CHAR5 Postmaster (valid bounce) +#counts SARE_FROM_SPAM_CHAR5 7s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_SPAM_CHAR5 114s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_SPAM_CHAR5 7s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_FROM_SPAM_CHAR5 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_FROM_SPAM_CHAR5 16s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_SPAM_CHAR5 6s/1h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FROM_SPAM_CHAR5 4s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FROM_SPAM_CHAR5 30s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_FROM_SPAM_CHAR5 9s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FROM_SPAM_CHAR5 1s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FROM_SPAM_CHAR5 9s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_FROM_SUPPORT_DIG From =~ /\bsupport\d/i +describe SARE_FROM_SUPPORT_DIG From user address is used by spammer +score SARE_FROM_SUPPORT_DIG 0.135 +#ham SARE_FROM_SUPPORT_DIG support1 @ $10domains.com +#hist SARE_FROM_SUPPORT_DIG Created by Bob Menschel Oct 07 2004 +#counts SARE_FROM_SUPPORT_DIG 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_SUPPORT_DIG 25s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_FROM_SUPPORT_DIG 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FROM_SUPPORT_DIG 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FROM_SUPPORT_DIG 1s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FROM_SUPPORT_DIG 0s/2h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#max SARE_FROM_SUPPORT_DIG 5s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 +#counts SARE_FROM_SUPPORT_DIG 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_SUPPORT_DIG 1s/4h of 47809 corpus (43224s/4585h MY) 07/27/05 + +##################################################################################### +# SARE From Rules -- Emails coming from free webmail accounts +# Since spam from these can vary depending upon country of origin, +# country of destination, policies, and enforcement of policies, +# most of these are kept as separate rules rather than combined. +######## ###################### ################################################## + +header SARE_FREE_WEBM_123 From =~ /\b123\.com/i +describe SARE_FREE_WEBM_123 Sender used free email account - may be spammer +score SARE_FREE_WEBM_123 0.389 +#ham SARE_FREE_WEBM_123 confirmed: 1, anonymous response via feedback page +#counts SARE_FREE_WEBM_123 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_123 62s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_FREE_WEBM_123 1s/0h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_123 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#max SARE_FREE_WEBM_123 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_123 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#max SARE_FREE_WEBM_123 10s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_FREE_WEBM_123 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_123 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_CZSEZNA From =~ /\@seznam\.cz/i +describe SARE_FREE_WEBM_CZSEZNA Sender used free email account - may be spammer +score SARE_FREE_WEBM_CZSEZNA 0.248 +#hist SARE_FREE_WEBM_CZSEZNA Created by Bob Menschel May 31 2004 +#ham SARE_FREE_WEBM_CZSEZNA Confirmed (2) by JH +#counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_FREE_WEBM_CZSEZNA 1s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_CZSEZNA 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_CZSEZNA 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FREE_WEBM_CZSEZNA 91s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_FREE_WEBM_CZSEZNA 186s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_CZSEZNA 1s/1h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_CZSEZNA 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FREE_WEBM_CZSEZNA 7s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_CZSEZNA 1s/2h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_FREE_WEBM_LAPOSTE From =~ /\@laposte\.net/i +describe SARE_FREE_WEBM_LAPOSTE Maybe spammer with free email +score SARE_FREE_WEBM_LAPOSTE 0.721 +#hist SARE_FREE_WEBM_LAPOSTE Created by Bob Menschel May 31 2004 +#counts SARE_FREE_WEBM_LAPOSTE 27s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_LAPOSTE 108s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_LAPOSTE 4s/0h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_LAPOSTE 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FREE_WEBM_LAPOSTE 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_FREE_WEBM_LAPOSTE 10s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_LAPOSTE 8s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_LAPOSTE 1s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_LAPOSTE 11s/49h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_LAPOSTE 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_FREE_WEBM_Purin From =~ /\bpurinmail\.com/i +describe SARE_FREE_WEBM_Purin Sender used free email account - may be spammer +score SARE_FREE_WEBM_Purin 0.650 +#hist SARE_FREE_WEBM_Purin Created by Bob Menschel Mar 26 2004 +#counts SARE_FREE_WEBM_Purin 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Purin 15s/0h of 125163 corpus (104972s/20191h) 03/28/04 +#counts SARE_FREE_WEBM_Purin 6s/0h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_Purin 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_FREE_WEBM_Purin 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_FREE_WEBM_Purin 12s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Purin 23s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Purin 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Purin 27s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_Purin 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_Purin 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 + +header SARE_FREE_WEBM_RuMail From =~ /\@mail\.ru/i +describe SARE_FREE_WEBM_RuMail Sender used free email account - may be spammer +score SARE_FREE_WEBM_RuMail 0.671 +#counts SARE_FREE_WEBM_RuMail 239s/21h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_RuMail 740s/36h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_RuMail 8s/4h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_RuMail 12s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_FREE_WEBM_RuMail 149s/2h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_RuMail 92s/2h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_RuMail 15s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_FREE_WEBM_RuMail 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_RuMail 199s/84h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_RuMail 6s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FREE_WEBM_RuMail 27s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_FREE_WEBM_Smapxsm From =~ /\bsmapxsmap\.net/i +describe SARE_FREE_WEBM_Smapxsm Sender used free email account - may be spammer +score SARE_FREE_WEBM_Smapxsm 0.667 +#counts SARE_FREE_WEBM_Smapxsm 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_Smapxsm 12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_Smapxsm 2s/0h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_FREE_WEBM_Smapxsm 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_FREE_WEBM_Smapxsm 23s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_Smapxsm 22s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_FREE_WEBM_Smapxsm 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FREE_WEBM_Smapxsm 27s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_Smapxsm 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#max SARE_FREE_WEBM_Smapxsm 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_FREE_WEBM_SURIML From =~ /\bsurimail\.com/i +describe SARE_FREE_WEBM_SURIML Sender used free email account - may be spammer +score SARE_FREE_WEBM_SURIML 0.555 +#hist SARE_FREE_WEBM_SURIML Created by Bob Menschel June 12 2004 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FREE_WEBM_SURIML 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_FREE_WEBM_SURIML 2s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_FREE_WEBM_SURIML 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FREE_WEBM_SURIML 3s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_FREE_WEBM_SURIML 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE Message-ID rules +######## ###################### ################################################## + +header SARE_MSGID_LONG MESSAGEID =~ /<.{135,}>/ +describe SARE_MSGID_LONG Message ID is too long. +score SARE_MSGID_LONG 0.202 +#ham SARE_MSGID_LONG confirmed (1) +#hist SARE_MSGID_LONG Jesse Houwing, August 20 2004 +#counts SARE_MSGID_LONG 4s/5h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_LONG 97s/0h of 114271 corpus (81068s/33203h RM) 01/15/05 +#counts SARE_MSGID_LONG 1s/3h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_MSGID_LONG 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_MSGID_LONG 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_LONG 7s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_MSGID_LONG 11s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_MSGID_LONG 29s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_MSGID_LONG 2s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_MSGID_LONG 1s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_MSGID_LONG 7s/0h of 34763 corpus (18647s/16116h MY) 08/25/04 + +header __SARE_MSGID_LONG45 MESSAGEID =~ /[a-z0-9\$]{45}/ +meta SARE_MSGID_LONG45 __SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75 +describe SARE_MSGID_LONG45 Message ID has suspicious length +score SARE_MSGID_LONG45 0.893 +#hist SARE_MSGID_LONG45 Created by Frederic Tarasevicius +#counts SARE_MSGID_LONG45 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_MSGID_LONG45 450s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_MSGID_LONG45 4s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_MSGID_LONG45 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_MSGID_LONG45 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MSGID_LONG45 32s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_MSGID_LONG45 14s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_MSGID_LONG45 7s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_MSGID_LONG45 52s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_MSGID_LONG45 15s/5h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_MSGID_LONG45 28s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +##################################################################################### +# SARE Received Header Rules +######## ###################### ################################################## + +header SARE_HELO_EQ_CUST X-Spam-Relays-Untrusted =~ /helo=\S*\.customer/i +score SARE_HELO_EQ_CUST 0.122 +#ham SARE_HELO_EQ_CUST MyCheckFree, billpay@billpay.bankofamerica.com, +#hist SARE_HELO_EQ_CUST Frederic Tarasevicius, Feb 22 2005 +#counts SARE_HELO_EQ_CUST 15s/57h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_EQ_CUST 108s/42h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HELO_EQ_CUST 66s/2h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_HELO_EQ_CUST 4s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_HELO_EQ_CUST 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_HELO_EQ_CUST 45s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HELO_EQ_CUST 12s/1h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_HELO_EQ_CUST 27s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HELO_EQ_CUST 0s/3h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_HELO_EQ_CUST 11s/6h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_HELO_EQ_CUST 23s/6h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_HELO_SENDER Received =~ /helo=sender/i +describe SARE_HELO_SENDER Received header has possible spamsign +score SARE_HELO_SENDER 0.486 +#hist SARE_HELO_SENDER Originally submitted by Bob Menschel. RM.hr_HeloSender +#ham SARE_HELO_SENDER American Express email to online business accepting their cards +#counts SARE_HELO_SENDER 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_SENDER 33s/3h of 60630 corpus (35509s/25121h RM) 08/11/04 +#counts SARE_HELO_SENDER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HELO_SENDER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_SENDER 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_HELO_SENDER 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HELO_SENDER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_HELO_SERVER Received =~ /\(helo=server\)/i +describe SARE_HELO_SERVER Received header has possible spamsign +score SARE_HELO_SERVER 0.722 +#ham SARE_HELO_SERVER confirmed (4): "opt-in" messages from Canon, ASDS Computer Co. software registration confirmation +#counts SARE_HELO_SERVER 22s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HELO_SERVER 104s/0h of 97268 corpus (79437s/17831h RM) 01/24/04 +#counts SARE_HELO_SERVER 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HELO_SERVER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HELO_SERVER 0s/4h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_HELO_SERVER 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_HELO_SERVER 8s/3h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HELO_SERVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +#@@# Moved file 0 to file 3 SARE_RECV_ADDR5 +header SARE_RECV_ADDR5 Received =~ /^from \(HELO \w+\) \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by / +describe SARE_RECV_ADDR5 RCVD header has no FQDN and a HELO. +score SARE_RECV_ADDR5 0.100 +#counts SARE_RECV_ADDR5 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04 +#counts SARE_RECV_ADDR5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_ADDR5 1s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 +#counts SARE_RECV_ADDR5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_ADDR5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 + +header SARE_RECV_CHAR_CARAT Received =~ /\^/ +describe SARE_RECV_CHAR_CARAT Received header has apparently invalid character +score SARE_RECV_CHAR_CARAT 0.619 +#ham SARE_RECV_CHAR_CARAT confirmed (1) +#hist SARE_RECV_CHAR_CARAT Created by Bob Menschel May 3 2004 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_CHAR_CARAT 23s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_CHAR_CARAT 2s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_CHAR_CARAT 4s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_CHAR_CARAT 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_RECV_CHAR_CARAT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +# Moved from file 1 to 3: SARE_RECV_FREESERVE +header SARE_RECV_FREESERVE Received =~ /\bfreeserve\.com/ +describe SARE_RECV_FREESERVE spam passed through system used by spammers +score SARE_RECV_FREESERVE 0.551 +#ham SARE_RECV_FREESERVE confirmed (1) +#ham SARE_RECV_FREESERVE userid@hurrel.freeserve.co.uk, valid email sent to Yahoo groups list by subscriber +#counts SARE_RECV_FREESERVE 195s/14h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_RECV_FREESERVE 2s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_RECV_FREESERVE 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_FREESERVE 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_FREESERVE 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_FREESERVE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#counts SARE_RECV_FREESERVE 14s/7h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_FREESERVE 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06 + +header SARE_RECV_INFOSAT Received =~ /\binfosat\.(?:com|net)/ +describe SARE_RECV_INFOSAT Email passed through apparent spammer domain +score SARE_RECV_INFOSAT 0.618 +#counts SARE_RECV_INFOSAT 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_INFOSAT 484s/35h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_RECV_INFOSAT 18s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_INFOSAT 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_INFOSAT 17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_INFOSAT 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_INFOSAT 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_INFOSAT 0s/1h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#max SARE_RECV_INFOSAT 2s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_RECV_SPAM_DOMN03 Received =~ /\b(?:takas)\.lt/ +describe SARE_RECV_SPAM_DOMN03 Email passed through apparent spammer domain +score SARE_RECV_SPAM_DOMN03 0.646 +#counts SARE_RECV_SPAM_DOMN03 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN03 56s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN03 0s/1h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_DOMN03 1s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_SPAM_DOMN03 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_DOMN03 45s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN03 14s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_SPAM_DOMN03 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_SPAM_DOMN03 7s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_SPAM_DOMN03 8s/1h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_SPAM_DOMN03 3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05 + +header SARE_RECV_SPAM_DOMN07 Received =~ /\bnoos\.fr/ +describe SARE_RECV_SPAM_DOMN07 Spam passed through noos.fr relay +score SARE_RECV_SPAM_DOMN07 0.615 +#counts SARE_RECV_SPAM_DOMN07 99s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_DOMN07 370s/44h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_DOMN07 58s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_DOMN07 16s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_SPAM_DOMN07 18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#counts SARE_RECV_SPAM_DOMN07 209s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_SPAM_DOMN07 32s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_SPAM_DOMN07 40s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_DOMN07 47s/9h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_SPAM_DOMN07 16s/1h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_SPAM_DOMN07 55s/1h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_SPAM_NAME1 Received =~ /\bHINET-IP/i +describe SARE_RECV_SPAM_NAME1 Email passed through probable spammer relay +score SARE_RECV_SPAM_NAME1 0.614 +#counts SARE_RECV_SPAM_NAME1 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_NAME1 349s/35h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_NAME1 30s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_NAME1 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_SPAM_NAME1 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_NAME1 149s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_SPAM_NAME1 69s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_SPAM_NAME1 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_NAME1 17s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_SPAM_NAME1 13s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_SPAM_NAME1 15s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_RECV_SPAM_NAME2 Received =~ /\bnetvigator\.com/ +describe SARE_RECV_SPAM_NAME2 Spam passed through netvigator.com system +score SARE_RECV_SPAM_NAME2 0.393 +#hist SARE_RECV_SPAM_NAME2 Created by Bob Menschel June 9 2004 +#ham SARE_RECV_SPAM_NAME2 Appropriate (probably not spam) UCE via TradeEasy to CW.com, 3 in 2003, 1 in 2004 +#counts SARE_RECV_SPAM_NAME2 25s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_SPAM_NAME2 155s/24h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_SPAM_NAME2 4s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_SPAM_NAME2 4s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_SPAM_NAME2 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_SPAM_NAME2 50s/1h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_SPAM_NAME2 5s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_SPAM_NAME2 19s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_SPAM_NAME2 23s/5h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_SPAM_NAME2 7s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 + +##################################################################################### +# SARE Received Header IP Address Rules +######## ###################### ################################################## + +#@@# Moved file 1 to file 3 SARE_RECV_IP_063106130 +header SARE_RECV_IP_063106130 Received =~ /\[63\.106\.130\.\d{1,3}\]/ +describe SARE_RECV_IP_063106130 Spam passed through possible spammer relay +score SARE_RECV_IP_063106130 0.278 +#ham SARE_RECV_IP_063106130 Confirmed (3) +#hist SARE_RECV_IP_063106130 Created by Bob Menschel May 14 2005 +#note SARE_RECV_IP_063106130 Data Depot LLC +#counts SARE_RECV_IP_063106130 5s/0h of 298277 corpus (136400s/161877h RM) 06/06/05 +#max SARE_RECV_IP_063106130 15s/0h of 272483 corpus (108035s/164448h RM) 05/15/05 +#counts SARE_RECV_IP_063106130 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_063106130 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_RECV_IP_063106130 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_RECV_IP_063106130 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06 +#max SARE_RECV_IP_063106130 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +#@@# Moved file 1 to file 3 SARE_RECV_IP_064034 +header SARE_RECV_IP_064034 Received =~ /\[64\.34\.(?:\d{1,2}|1(?:[01]|2[0-7]))\.\d{1,3}\]/ +describe SARE_RECV_IP_064034 Spam passed through possible spammer relay +score SARE_RECV_IP_064034 0.532 +#stype SARE_RECV_IP_064034 spamp +#hist SARE_RECV_IP_064034 Created by Bob Menschel Aug 07 2005 +#counts SARE_RECV_IP_064034 4s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_064034 144s/9h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_064034 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06 +#max SARE_RECV_IP_064034 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_RECV_IP_064034 47s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_RECV_IP_064034 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_RECV_IP_064034 12s/5h of 22942 corpus (17234s/5708h MY) 05/14/06 + +header SARE_RECV_IP_066111 Received =~ /\[66\.111\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/ +describe SARE_RECV_IP_066111 Passed through possible spammer relay or source +score SARE_RECV_IP_066111 0.347 +#ham SARE_RECV_IP_066111 confirmed (1) +#note SARE_RECV_IP_066111 WebHostPlus +#hist SARE_RECV_IP_066111 Created by Bob Menschel Nov 27 2004 +#counts SARE_RECV_IP_066111 24s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_066111 38s/7h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_066111 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_066111 10s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_IP_066111 90s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_RECV_IP_066111 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_066111 1s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_IP_066111 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_069194 Received =~ /from \[62\.19[45]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_069194 Spam passed through possible spammer relay +score SARE_RECV_IP_069194 1.666 +#stype SARE_RECV_IP_069194 spamp +#counts SARE_RECV_IP_069194 6s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_069194 213s/0h of 106584 corpus (86917s/19667h) 03/13/04 +#counts SARE_RECV_IP_069194 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_069194 1s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_IP_069194 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_RECV_IP_069194 1s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_IP_069194 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_069194 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header SARE_RECV_IP_080032 Received =~ /\[80\.32\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080032 Spam passed through possible spammer relay +score SARE_RECV_IP_080032 0.615 +#ham SARE_RECV_IP_080032 confirmed (1) +#hist SARE_RECV_IP_080032 Created by Bob Menschel Apr 28 2004 +#counts SARE_RECV_IP_080032 15s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_080032 30s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080032 28s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_IP_080032 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_IP_080032 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_080032 34s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_IP_080032 6s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_080032 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_RECV_IP_080032 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_080032 1s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_IP_080032 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_RECV_IP_080040 Received =~ /\[80\.4[1-7]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080040 Spam passed through possible spammer relay +score SARE_RECV_IP_080040 0.456 +#ham SARE_RECV_IP_080040 confirmed (6) +#hist SARE_RECV_IP_080040 Created by Bob Menschel June 7 2004 +#counts SARE_RECV_IP_080040 55s/1h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_080040 298s/21h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080040 16s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_IP_080040 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_RECV_IP_080040 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_RECV_IP_080040 32s/4h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_IP_080040 7s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_080040 11s/18h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_080040 1s/5h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_IP_080040 1s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_IP_080040 14s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +header SARE_RECV_IP_080178 Received =~ /\[80\.17[89]\.\d{1,3}\.\d{1,3}\]/ +describe SARE_RECV_IP_080178 Spam passed through possible spammer relay +score SARE_RECV_IP_080178 0.391 +#ham SARE_RECV_IP_080178 Family email from Israel +#counts SARE_RECV_IP_080178 130s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_080178 409s/60h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_080178 40s/1h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_IP_080178 6s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_RECV_IP_080178 27s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_RECV_IP_080178 18s/1h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_080178 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_RECV_IP_080178 21s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_RECV_IP_080178 5s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_IP_080178 3s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_RECV_IP_080178 11s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +header SARE_RECV_IP_222126 Received =~ /\[222\.126\.(?:\d{1,2}|1[01]\d|12[0-7])\.\d{1,3}\]/ +describe SARE_RECV_IP_222126 Passed through possible spammer relay or source +score SARE_RECV_IP_222126 0.612 +#note SARE_RECV_IP_222126 Infocom, Makati City, PH +#hist SARE_RECV_IP_222126 Created by Bob Menschel Dec 01 2004 +#counts SARE_RECV_IP_222126 13s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_RECV_IP_222126 37s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_RECV_IP_222126 1s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_RECV_IP_222126 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_RECV_IP_222126 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_RECV_IP_222126 9s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_RECV_IP_222126 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_RECV_IP_222126 2s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_RECV_IP_222126 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 + +##################################################################################### +# SARE Reply-To Rules +######## ###################### ################################################## + +header SARE_REPLY_SPAMWORD2 Reply-To =~ /(?:amateur|funny|interacia)/i +describe SARE_REPLY_SPAMWORD2 Reply-To email addr incl spam indicator word +score SARE_REPLY_SPAMWORD2 0.486 +#ham SARE_REPLY_SPAMWORD2 confrmed (1) +#counts SARE_REPLY_SPAMWORD2 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_REPLY_SPAMWORD2 9s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_REPLY_SPAMWORD2 1s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_REPLY_SPAMWORD2 6s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_REPLY_SPAMWORD2 1s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_REPLY_SPAMWORD2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_REPLY_SPAMWORD2 1s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_REPLY_SPAMWORD2 2s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_REPLY_SPAMWORD2 3s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_REPLY_SPAMWORD2 25s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 + +##################################################################################### +# SARE TO & CC Rules +######## ###################### ################################################## + +header SARE_TOCC_SLASHES ToCc =~ m'//' +describe SARE_TOCC_SLASHES Spam sign: double slashes in To/Cc headers +score SARE_TOCC_SLASHES 0.111 +#counts SARE_TOCC_SLASHES 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_SLASHES 9s/0h of 85901 corpus (63701s/22200h RM) 06/05/04 +#counts SARE_TOCC_SLASHES 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_SLASHES 6s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_TOCC_SLASHES 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_TOCC_SLASHES 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_SLASHES 0s/1h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_TOCC_SLASHES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_SLASHES 2s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_TOCC_SLASHES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +##################################################################################### +# SARE X-Mailer Rules +######## ###################### ################################################## + +header SARE_XMAIL_BULK3a X-Mailer =~ /Foxmail/i +describe SARE_XMAIL_BULK3a Uses bulk mailer used by spammers +score SARE_XMAIL_BULK3a 0.735 +#ham SARE_XMAIL_BULK3a ham from 2003 from China, "Foxmail 4.[12] \[cn\]", same as found in spam +#hist SARE_XMAIL_BULK3a Bob Menschel: PSS Bulk Mailer, Calypso +#counts SARE_XMAIL_BULK3a 584s/14h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_BULK3a 2166s/65h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_BULK3a 27s/4h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_XMAIL_BULK3a 2s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_XMAIL_BULK3a 59s/1h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_XMAIL_BULK3a 458s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_XMAIL_BULK3a 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_XMAIL_BULK3a 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_XMAIL_BULK3a 330s/7h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_XMAIL_BULK3a 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_XMAIL_BULK3a 4s/1h of 17050 corpus (14617s/2433h MY) 08/08/04 + +#todo SARE_XMAIL_BULK5 Add test for BSP-Trusted. +header SARE_XMAIL_BULK5 X-Mailer =~ /(?:Roving Constant Contact)/i +describe SARE_XMAIL_BULK5 Uses ham mailer, sometimes abused +score SARE_XMAIL_BULK5 0.648 +#hist SARE_XMAIL_BULK5 Bob Menschel: Roving Constant Contact +#counts SARE_XMAIL_BULK5 1s/6h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_BULK5 1900s/67h of 327690 corpus (159737s/167953h RM) 07/27/05 +#counts SARE_XMAIL_BULK5 9s/1h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_XMAIL_BULK5 3s/9h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_XMAIL_BULK5 3s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_BULK5 1s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_XMAIL_BULK5 0s/13h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_XMAIL_BULK5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04 +#counts SARE_XMAIL_BULK5 8s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_XMAIL_BULK5 0s/3h of 17050 corpus (14617s/2433h MY) 08/08/04 + +#@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL +header SARE_XMAIL_GOMAIL X-Mailer =~ /GoMail/i +describe SARE_XMAIL_GOMAIL Apparently uses spam/bulk mailer +score SARE_XMAIL_GOMAIL 0.296 +#hist SARE_XMAIL_GOMAIL Bob Menschel, Mar 4 2005, from suggestion by Alex Broens +#counts SARE_XMAIL_GOMAIL 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_GOMAIL 1319s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_XMAIL_GOMAIL 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_XMAIL_GOMAIL 1s/0h of 10995 corpus (6568s/4427h CT) 03/10/05 +#counts SARE_XMAIL_GOMAIL 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_XMAIL_GOMAIL 15s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05 +#counts SARE_XMAIL_GOMAIL 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 +#counts SARE_XMAIL_GOMAIL 0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_XMAIL_LCDD X-Mailer=~/^[a-z]+ \d\.\d$/ +describe SARE_XMAIL_LCDD Ratware mailer +score SARE_XMAIL_LCDD 0.642 +#ham SARE_XMAIL_LCDD X-Mailer: reportbug 3.8, tlmpmail 0.9 +#counts SARE_XMAIL_LCDD 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_LCDD 172s/0h of 33004 corpus (9761s/23243h RM) 05/21/04 +#counts SARE_XMAIL_LCDD 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_XMAIL_LCDD 31s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04 +#counts SARE_XMAIL_LCDD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_XMAIL_LCDD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_XMAIL_LCDD 13s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_XMAIL_LCDD 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_XMAIL_SUSP3 X-Mailer=~ /^(?:[a-z\-]+\s+[a-z\-]+(?:,\s+[a-z\-]+)?|[a-z\-]+ \d\.\d)$/ +meta SARE_XMAIL_SUSP3 __SARE_XMAIL_SUSP3 && !SARE_XMAIL_LCDD +describe SARE_XMAIL_SUSP3 Contains a suspicious X-Mailer header +score SARE_XMAIL_SUSP3 1.208 +#hist SARE_XMAIL_SUSP3 Jesse Houwing, SARE_TM2_RW_XM +#hist SARE_XMAIL_SUSP3 Modified to meta to avoid overlap with SARE_XMAIL_LCDD; must be in same file as LCDD +#ham SARE_XMAIL_SUSP3 "a script" from macromedia.com +#counts SARE_XMAIL_SUSP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_SUSP3 505s/1h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_XMAIL_SUSP3 2s/2h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_XMAIL_SUSP3 0s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#max SARE_XMAIL_SUSP3 10s/0h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_XMAIL_SUSP3 23s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_XMAIL_SUSP3 4s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_XMAIL_SUSP3 97s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#max SARE_XMAIL_SUSP3 291s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_XMAIL_SUSP3 19s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_XMAIL_SUSP3 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_XMAIL_SUSP3 49s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +#@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL +header SARE_XMAIL_TOLMAIL X-Mailer =~ /\bTOL Mailer\b/ +describe SARE_XMAIL_TOLMAIL X-Mailer used by spammer +score SARE_XMAIL_TOLMAIL 0.278 +#ham SARE_XMAIL_TOLMAIL possible (1) +#hist SARE_XMAIL_TOLMAIL Alex Broens, July 29 2005 +#counts SARE_XMAIL_TOLMAIL 5s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_XMAIL_TOLMAIL 36s/0h of 325151 corpus (158002s/167149h RM) 07/31/05 +#counts SARE_XMAIL_TOLMAIL 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +##################################################################################### +# SARE Miscellaneous and X-Header header rules +######## ###################### ################################################## + +header SARE_HEAD_DATE39 Date =~ /^.{39}$/ +describe SARE_HEAD_DATE39 Date header suggests this is spam +score SARE_HEAD_DATE39 0.660 +#counts SARE_HEAD_DATE39 0s/2h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE39 264s/3h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts SARE_HEAD_DATE39 5s/0h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_HEAD_DATE39 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE39 10s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HEAD_DATE39 6s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_DATE39 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts SARE_HEAD_DATE39 30s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_HEAD_DATE39 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 + +#@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L +header SARE_HEAD_DATE_5L Date =~ /[a-z]{5}\s*$/i +describe SARE_HEAD_DATE_5L Date header ends in 5+ letters +score SARE_HEAD_DATE_5L 0.278 +#ham SARE_HEAD_DATE_5L confirmed (5) +#hist SARE_HEAD_DATE_5L Tim Jackson, May 12 2005 +#counts SARE_HEAD_DATE_5L 6s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE_5L 395s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE_5L 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_DATE_5L 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE_5L 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 +#counts SARE_HEAD_DATE_5L 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_HEAD_DATE_5L 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 + +header SARE_HEAD_DATE61 Date =~ /^.{57,61}$/ +score SARE_HEAD_DATE61 -1.000 +tflags SARE_HEAD_DATE61 nice +#stype SARE_HEAD_DATE61 ham +#counts SARE_HEAD_DATE61 1s/32h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE61 0s/72h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE61 0s/5h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05 +#counts SARE_HEAD_DATE61 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05 +#counts SARE_HEAD_DATE61 1s/20h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_HEAD_DATE61 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE61 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05 + +header SARE_HEAD_DATE_ADDED Date =~ /\(added by/ +describe SARE_HEAD_DATE_ADDED Original email had no date - added by later system +score SARE_HEAD_DATE_ADDED 0.139 +#ham SARE_HEAD_DATE_ADDED technical notification email from att.com +#counts SARE_HEAD_DATE_ADDED 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE_ADDED 21s/0h of 115509 corpus (81073s/34436h RM) 01/16/05 +#counts SARE_HEAD_DATE_ADDED 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05 +#counts SARE_HEAD_DATE_ADDED 0s/1h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_HEAD_DATE_ADDED 140s/1h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_HEAD_DATE_ADDED 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_DATE_ADDED 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +header __SARE_HEAD_DATE_L1a Date =~ /.{50}/ +header __SARE_HEAD_DATE_L1b Date =~ /added by/ +meta SARE_HEAD_DATE_LONG1 __SARE_HEAD_DATE_L1a && !__SARE_HEAD_DATE_L1b +describe SARE_HEAD_DATE_LONG1 Date header has interesting length +score SARE_HEAD_DATE_LONG1 -0.500 +tflags SARE_HEAD_DATE_LONG1 nice +#stype SARE_HEAD_DATE_LONG1 ham +#hist SARE_HEAD_DATE_LONG1 Developed by Bob Menschel from rule by Frederic Tarasevicius +#hist SARE_HEAD_DATE_LONG1 Reduce spam hits, Oct 13 2005, Bob Menschel +#counts SARE_HEAD_DATE_LONG1 4s/2235h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_DATE_LONG1 97s/3020h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_DATE_LONG1 32s/34h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_HEAD_DATE_LONG1 0s/3h of 11052 corpus (6614s/4438h CT) 03/10/05 +#counts SARE_HEAD_DATE_LONG1 2s/265h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HEAD_DATE_LONG1 2s/76h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_DATE_LONG1 2s/25h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_HEAD_DATE_LONG1 1s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_HEAD_DATE_LONG1 0s/0h of 22938 corpus (17228s/5710h MY) 05/14/06 +#max SARE_HEAD_DATE_LONG1 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05 + +header SARE_HEAD_XCOM_RFCMIN X-Comment =~ /Sending client does not conform to RFC822 minimum requirements/i +describe SARE_HEAD_XCOM_RFCMIN AT&T Maillennium does not like this email +score SARE_HEAD_XCOM_RFCMIN 0.555 +#ham SARE_HEAD_XCOM_RFCMIN confirmed (2) +#hist SARE_HEAD_XCOM_RFCMIN Created by Bob Menschel Sep 05 2004 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XCOM_RFCMIN 3s/5h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XCOM_RFCMIN 3s/0h of 273595 corpus (108821s/164774h RM) 05/13/05 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 19447 corpus (16862s/2585h MY) 09/05/04 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_HEAD_XCOM_RFCMIN 166s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 + +#@@# Moved file 1 to file 3 SARE_HEAD_XWORD +header SARE_HEAD_XWORD ALL =~ /\n(?!(?:X-Scanned|X-Windows|X-Emacs|X-Note))X-[A-Z][a-z\d]+:\s+(?:[a-z]{2,20}\s){5,}/ +describe SARE_HEAD_XWORD Spam tool +score SARE_HEAD_XWORD 0.278 +#ham SARE_HEAD_XWORD verified (1) +#hist SARE_HEAD_XWORD Loren Wilton, June 2005 +#hist SARE_HEAD_XWORD Added X-Scanned exclusion Sep 24 2005 +#counts SARE_HEAD_XWORD 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_XWORD 114s/6h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_XWORD 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06 +#counts SARE_HEAD_XWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HEAD_XWORD 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06 + +##################################################################################### +# SARE Rules which examine multiple header types +######## ###################### ################################################## + +header __SARE_HEAD_8BIT_HDRS ALL =~ /[\x80-\xff]{3,}/ +header SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2') +#note SUBJ_ILLEGAL_CHARS Standard SpamAssassin rule/test +#counts __SARE_HEAD_8BIT_HDRS 14742s/63h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_HDRS 1297s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_HDRS 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +header __SARE_HEAD_8BIT_RPLY Reply-To =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_RPLY 6259s/9h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_RPLY 728s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_RPLY 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 +header __SARE_HEAD_8BIT_FROM From =~ /[\x80-\xff]{3,}/ +#counts __SARE_HEAD_8BIT_FROM 8565s/23h of 238550 corpus (112525s/126025h RM) 02/28/05 +#counts __SARE_HEAD_8BIT_FROM 1823s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05 +#counts __SARE_HEAD_8BIT_FROM 2s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 + +meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_DATE && !__SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ +describe SARE_HEAD_8BIT_NOSPM Header with 8-bit char suggests spam +score SARE_HEAD_8BIT_NOSPM 0.385 +#hist SARE_HEAD_8BIT_NOSPM June 18 2005, Bob Menschel: Added exclusion for subject header +#counts SARE_HEAD_8BIT_NOSPM 103s/76h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_8BIT_NOSPM 593s/85h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_NOSPM 126s/1h of 55978 corpus (51650s/4328h AxB2) 05/14/06 +#counts SARE_HEAD_8BIT_NOSPM 12s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_HEAD_8BIT_NOSPM 78s/0h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HEAD_8BIT_NOSPM 38s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_8BIT_NOSPM 93s/0h of 106014 corpus (72769s/33245h ML) 05/14/06 + +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_NOSPM && !SARE_HEAD_8BIT_DATE && !SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ +describe SARE_HEAD_8BIT_SPAM High-ascii characters found in strange header +score SARE_HEAD_8BIT_SPAM 1.666 +#hist SARE_HEAD_8BIT_SPAM From Bugzilla # 2243 +#hist SARE_HEAD_8BIT_SPAM June 18 2005, Bob Menschel: Added exclusion for subject header +#todo%%% SARE_HEAD_8BIT_SPAM Analysis on avoiding the ham + +meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_SUBJ && !SUBJ_ILLEGAL_CHARS +describe SARE_HEAD_8BIT_SPAM High-ascii characters found in subject header +score SARE_HEAD_8BIT_SPAM 0.888 +#hist SARE_HEAD_8BIT_SPAM Bob Menschel implementation, June 17 2005 +#counts SARE_HEAD_8BIT_SPAM 565s/94h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_HEAD_8BIT_SPAM 7948s/130h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HEAD_8BIT_SPAM 206s/13h of 9984 corpus (5649s/4335h AxB) 05/14/06 +#counts SARE_HEAD_8BIT_SPAM 20s/0h of 13285 corpus (7414s/5871h CT) 05/14/06 +#counts SARE_HEAD_8BIT_SPAM 674s/19h of 155354 corpus (103809s/51545h DOC) 05/15/06 +#counts SARE_HEAD_8BIT_SPAM 98s/0h of 42268 corpus (34150s/8118h FVGT) 05/15/06 +#counts SARE_HEAD_8BIT_SPAM 642s/3h of 106014 corpus (72769s/33245h ML) 05/14/06 +#counts SARE_HEAD_8BIT_SPAM 13s/7h of 22938 corpus (17228s/5710h MY) 05/14/06 + +#@@# Moved file 2 to file 3 SARE_MULT_RATW_03 +header __SARE_MULT_RATW_03A MESSAGEID =~ /^<[A-Z]{20,26}\@[\w\d\.]+>/ +header __SARE_MULT_RATW_03B Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3};/ +header __SARE_MULT_RATW_03C Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by ;/ +header __SARE_MULT_RATW_03D Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by web\d{1,4}\.mail\.yahoo\.com;/ +header __SARE_MULT_RATW_03F Received =~ /\bfrom ([A-Z][\w\.]+) by \1$/ +header __SARE_MULT_RATW_03G Received =~ /\%HEAD_RND_DOM/ +header __SARE_MULT_RATW_03H Received =~ /\(qmail 14413 invoked from network\);/ +header __SARE_MULT_RATW_03I ALL =~ /\bX-Mailer: [a-z]+ [a-z]+\n[a-z]+\-[a-z]+: [a-z]+ [a-z]+ [a-z]+\n/s +meta SARE_MULT_RATW_03 (__SARE_MULT_RATW_03A && (__SARE_MULT_RATW_03B || __SARE_MULT_RATW_03C || __SARE_MULT_RATW_03D || __SARE_MULT_RATW_03E || __SARE_MULT_RATW_03F || __SARE_MULT_RATW_03G || __SARE_MULT_RATW_03H || __SARE_MULT_RATW_03I)) +describe SARE_MULT_RATW_03 Spammer sign in headers +score SARE_MULT_RATW_03 1.666 +#hist SARE_MULT_RATW_03 LW_RATWARE4 +#counts SARE_MULT_RATW_03 0s/0h of 196708 corpus (96197s/100511h RM) 02/21/05 +#max SARE_MULT_RATW_03 321s/0h of 85084 corpus (62489s/22595h RM) 06/08/04 +#counts SARE_MULT_RATW_03 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_MULT_RATW_03 1s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06 +#counts SARE_MULT_RATW_03 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05 +#counts SARE_MULT_RATW_03 57s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#max SARE_MULT_RATW_03 172s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_MULT_RATW_03 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05 +#max SARE_MULT_RATW_03 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +# EOF + diff --git a/common/sare/70_sare_header_eng.cf b/common/sare/70_sare_header_eng.cf new file mode 100644 index 0000000..5de3063 --- /dev/null +++ b/common/sare/70_sare_header_eng.cf @@ -0,0 +1,122 @@ +# SARE Header Abuse Ruleset for SpamAssassin -- English +# Version: 01.03.16 / 01.03.17 +# Created: 2004-04-25 +# Modified: 2005-10-28 / 2006-05-?? +# Usage instructions and documentation in 70_sare_header0.cf + +# Full Revision History / Change Log in 70_sare_header.log +#@@# 01.03.17 May ?? 2006 +#@@# Minor score updates based on additional mass-check +#@@# Modified "rule has been moved" meta flags + +##################################################################################### +# SARE Content-Type and Boundary rules +######## ###################### ################################################## + +header __SARE_CHARSET_W1251 Content-Type =~ /charset="Windows-1251"/i +meta SARE_CHARSET_W1251 __SARE_CHARSET_W1251 && !__SARE_FROM_CHAR_W1251 +describe SARE_CHARSET_W1251 Non-English character set +score SARE_CHARSET_W1251 1.656 +#hist SARE_CHARSET_W1251 Created by Bob Menschel May 31 2004 +#counts SARE_CHARSET_W1251 2574s/3h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_CHARSET_W1251 364s/0h of 55979 corpus (51646s/4333h AxB2) 05/14/06 +#counts SARE_CHARSET_W1251 27s/1h of 13295 corpus (7421s/5874h CT) 05/14/06 +#counts SARE_CHARSET_W1251 770s/16h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_CHARSET_W1251 196s/0h of 42246 corpus (34129s/8117h FVGT) 05/15/06 +#counts SARE_CHARSET_W1251 185s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_CHARSET_W1251 438s/0h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_CHARSET_W1251 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05 +#max SARE_CHARSET_W1251 174s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 + +##################################################################################### +# SARE From Rules +######## ###################### ################################################## + +header __SARE_FROM_CHAR_W1251 From:raw =~ /\=\?Windows-1251\?/i +meta SARE_FROM_CHAR_W1251 __SARE_FROM_CHAR_W1251 +describe SARE_FROM_CHAR_W1251 Displays in unexpected charset +score SARE_FROM_CHAR_W1251 1.175 +#ham SARE_FROM_CHAR_W1251 Found in some Russian ham +#hist SARE_FROM_CHAR_W1251 Created by Bob Menschel May 17 2004 +#counts SARE_FROM_CHAR_W1251 43s/8h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_CHAR_W1251 613s/8h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_CHAR_W1251 26s/0h of 9983 corpus (5649s/4334h AxB) 05/14/06 +#counts SARE_FROM_CHAR_W1251 144s/0h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_FROM_CHAR_W1251 640s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_CHAR_W1251 147s/0h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_FROM_CHAR_W1251 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 +#counts SARE_FROM_CHAR_W1251 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_CHAR_W1251 3s/0h of 42246 corpus (34129s/8117h FVGT) 05/15/06 + +header SARE_FROM_CODE_KS5601 From:raw =~ /\=\?ks_c_5601\-1987\?/i +describe SARE_FROM_CODE_KS5601 From header specifies display in code +score SARE_FROM_CODE_KS5601 0.306 +#ham SARE_FROM_CODE_KS5601 confirmed +#counts SARE_FROM_CODE_KS5601 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_CODE_KS5601 55s/0h of 259338 corpus (110116s/149222h RM) 05/16/05 +#counts SARE_FROM_CODE_KS5601 1s/0h of 9983 corpus (5649s/4334h AxB) 05/14/06 +#counts SARE_FROM_CODE_KS5601 5s/1h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_FROM_CODE_KS5601 3s/0h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_FROM_CODE_KS5601 1s/0h of 22938 corpus (17229s/5709h MY) 05/14/06 +#counts SARE_FROM_CODE_KS5601 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_CODE_KS5601 0s/0h of 13295 corpus (7421s/5874h CT) 05/14/06 +#max SARE_FROM_CODE_KS5601 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05 + +header SARE_FROM_CONS6S From =~ /\b[bcghjklmnpqrtvwxz]{6,20}\b/ +describe SARE_FROM_CONS6S From address has too many seq consonants +score SARE_FROM_CONS6S 0.616 +#hist SARE_FROM_CONS6S Originally submitted by Bob Menschel +#ham SARE_FROM_CONS6S mrktmgr, bpmllp.com +#counts SARE_FROM_CONS6S 351s/152h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_FROM_CONS6S 1430s/208h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_FROM_CONS6S 373s/3h of 55979 corpus (51646s/4333h AxB2) 05/14/06 +#counts SARE_FROM_CONS6S 291s/0h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_FROM_CONS6S 121s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_CONS6S 306s/1h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_FROM_CONS6S 32s/2h of 22938 corpus (17229s/5709h MY) 05/14/06 +#max SARE_FROM_CONS6S 107s/2h of 47809 corpus (43224s/4585h MY) 07/27/05 +#counts SARE_FROM_CONS6S 40s/0h of 13295 corpus (7421s/5874h CT) 05/14/06 +#max SARE_FROM_CONS6S 49s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_CONS6S 280s/3h of 42246 corpus (34129s/8117h FVGT) 05/15/06 + +header SARE_FROM_CONS9 From =~ /\b[bcghjklmnpqrstvwxz]{9,20}\b/ +describe SARE_FROM_CONS9 From address has way too many seq consonants +score SARE_FROM_CONS9 1.000 +#stype SARE_FROM_CONS9 max:1 +#ham SARE_FRMO_CONS9 confirmed +#hist SARE_FROM_CONS9 Originally submitted by Bob Menschel +#addsto SARE_FROM_CONS9 SARE_FROM_CONS6S +#counts SARE_FROM_CONS9 219s/0h of 173032 corpus (99056s/73976h RM) 05/11/06 +#counts SARE_FROM_CONS9 20s/0h of 9983 corpus (5649s/4334h AxB) 05/14/06 +#counts SARE_FROM_CONS9 117s/0h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_FROM_CONS9 46s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_FROM_CONS9 155s/0h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_FROM_CONS9 3s/0h of 22938 corpus (17229s/5709h MY) 05/14/06 +#max SARE_FROM_CONS9 69s/0h of 45478 corpus (41529s/3949h MY) 05/16/05 +#counts SARE_FROM_CONS9 9s/0h of 13295 corpus (7421s/5874h CT) 05/14/06 +#max SARE_FROM_CONS9 22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_FROM_CONS9 195s/0h of 42246 corpus (34129s/8117h FVGT) 05/15/06 + +##################################################################################### +# SARE TO & CC Rules +######## ###################### ################################################## + +header SARE_TOCC_CONS6s ToCc =~ /\b[bcghjklmnpqrtvwxz]{6,}\b/ +describe SARE_TOCC_CONS6s Excessive consecutive consonants in To/Cc +score SARE_TOCC_CONS6s 0.141 +#addsto SARE_TOCC_CONS6s SARE_TOCC_CONS6 +#ham SARE_TOCC_CONS6s "xcvbxcvb" +#counts SARE_TOCC_CONS6s 14s/8h of 173032 corpus (99056s/73976h RM) 05/11/06 +#max SARE_TOCC_CONS6s 230s/100h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_TOCC_CONS6s 42s/9h of 55979 corpus (51646s/4333h AxB2) 05/14/06 +#counts SARE_TOCC_CONS6s 15s/0h of 155345 corpus (103798s/51547h DOC) 05/15/06 +#counts SARE_TOCC_CONS6s 5s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05 +#counts SARE_TOCC_CONS6s 2s/0h of 106284 corpus (73045s/33239h ML) 05/14/06 +#counts SARE_TOCC_CONS6s 0s/1h of 22938 corpus (17229s/5709h MY) 05/14/06 +#max SARE_TOCC_CONS6s 6s/1h of 20489 corpus (17189s/3300h MY) 01/30/05 +#counts SARE_TOCC_CONS6s 1s/2h of 10590 corpus (5819s/4771h CT) 07/26/05 +#max SARE_TOCC_CONS6s 3s/2h of 10853 corpus (6391s/4462h CT) 05/16/05 +#counts SARE_TOCC_CONS6s 5s/11h of 42246 corpus (34129s/8117h FVGT) 05/15/06 + +# EOF + diff --git a/common/sare/70_sare_html.cf b/common/sare/70_sare_html.cf new file mode 100644 index 0000000..362603b --- /dev/null +++ b/common/sare/70_sare_html.cf @@ -0,0 +1,1519 @@ +# SARE HTML Ruleset for SpamAssassin - ruleset 0 +# Version: 01.03.10 +# Created: 2004-03-31 +# Modified: 2006-06-03 +# Usage instructions, documentation, and change history in 70_sare_html0.cf + +#@@# Revision History: Full Revision History stored in 70_sare_html.log +#@@# 01.03.09: May 31 2006 +#@@# Minor score tweaks based on recent mass-checks +#@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU +#@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL +#@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1 +#@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2 +#@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3 +#@@# Moved file 0 to file 2: SARE_HTML_POB1200 +#@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD +#@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN +#@@# Moved file 0 to file 2: SARE_HTML_URI_OFF +#@@# Moved file 0 to file 2: SARE_HTML_USL_B7 +#@@# Moved file 0 to file 2: SARE_HTML_USL_B9 +#@@# Moved file 0 to file 2: SARE_PHISH_HTML_01 +#@@# Added file 0: SARE_HTML_FLOAT1 +#@@# 01.03.10: June 3 2006 +#@@# Minor score tweaks based on recent mass-checks +#@@# Added file 0 SARE_HTML_LINKWARN +#@@# Added file 0 SARE_HTML_SPANNER + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_html0.cf +# +# Usage: This family of files, 70_sare_html*.cf, contain rules that test HTML strings within emails +# (except URIs, which are handled in the 70_sare_uri*.cf family of files). +# +# File 0: 70_sare_html0.cf -- These are html rules that hit at least 10 spam and no ham. +# While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham. +# This is a rules file we expect any/all email systems using SpamAssassin to benefit from. +# +# File 1: 70_sare_html1.cf -- These are html rules that meet one of the follow criteria: +# a) Rules that do, or in the past have hit ham during SARE mass-check tests +# b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run. +# If the rules hit ham, they hit at last 10 spam to each 1 ham. +# If the rules hit ham, they hit fewer than 100 ham +# With few exceptions these rules score significantly less than the rules in file 0. +# Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset, +# pick and choose among its rules, or lower their scores. +# Systems that use this file 1 should ALSO use file 0. +# +# File 2: 70_sare_html2.cf -- These html rules hit no spam at this time, but they are considered "safe" rules that should never hit ham. +# These are primarily rules that test for specific html seen only in spam, or similar types of "pretty darn sure" rules. +# Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead, +# but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file. +# +# File 3: 70_sare_html3.cf -- These are html rules that hit a significant amount of ham during SARE mass-check tests. +# Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# File 4: 70_sare_html4.cf -- These are html rules that meet one of the following criteria: +# a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems. +# b) They hit no emails at this time, but have been recommended by anti-spam sources. +# Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. +# +# eng: 70_sare_html_eng.cf -- These are html rules which work well within the English language, but are liable to cause false +# positives in other languages. They include rules which test for letter combinations. Systems that +# receive ham in languages other than English should NOT use this file. +# +# x30: 70_sare_html_x30.cf -- These are html rules which have been incorporated into SpamAssassin 3.0.x, +# or which duplicate or greatly overlap 3.0.x rules. +# Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file. +# +# arc: 70_sare_html_arc.cf -- These are html rules that once were published in other files, but which have since lost all value. +# They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam. +# SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but +# we expect that nobody will be running these rules in any production system. +# +######## ###################### ################################################## + +######## ###################### ################################################## +# Rules renamed or moved +######## ###################### ################################################## + +meta SARE_HTML_ALT_WAIT2 __SARE_HEAD_FALSE +meta SARE_HTML_BADOPEN __SARE_HEAD_FALSE +meta SARE_HTML_BAD_FG_CLR __SARE_HEAD_FALSE +meta SARE_HTML_COLOR_B __SARE_HEAD_FALSE +meta SARE_HTML_COLOR_NWHT3 __SARE_HEAD_FALSE +meta SARE_HTML_FONT_INVIS2 __SARE_HEAD_FALSE +meta SARE_HTML_FSIZE_1ALL __SARE_HEAD_FALSE +meta SARE_HTML_GIF_DIM __SARE_HEAD_FALSE +meta SARE_HTML_HTML_AFTER __SARE_HEAD_FALSE +meta SARE_HTML_HTML_DBL __SARE_HEAD_FALSE +meta SARE_HTML_HTML_TBL __SARE_HEAD_FALSE +meta SARE_HTML_IMG_ONLY __SARE_HEAD_FALSE +meta SARE_HTML_JVS_HREF __SARE_HEAD_FALSE +meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE +meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE +meta SARE_HTML_NO_BODY __SARE_HEAD_FALSE +meta SARE_HTML_NO_HTML1 __SARE_HEAD_FALSE +meta SARE_HTML_P_JUSTIFY __SARE_HEAD_FALSE +meta SARE_HTML_TITLE_SEX __SARE_HEAD_FALSE +meta SARE_HTML_URI_2SLASH __SARE_HEAD_FALSE +meta SARE_HTML_URI_AXEL __SARE_HEAD_FALSE +meta SARE_HTML_URI_BADQRY __SARE_HEAD_FALSE +meta SARE_HTML_URI_FORMPHP __SARE_HEAD_FALSE +meta SARE_HTML_URI_HREF __SARE_HEAD_FALSE +meta SARE_HTML_URI_MANYP2 __SARE_HEAD_FALSE +meta SARE_HTML_URI_MANYP3 __SARE_HEAD_FALSE +meta SARE_HTML_URI_NUMPHP3 __SARE_HEAD_FALSE +meta SARE_HTML_URI_OBFU4 __SARE_HEAD_FALSE +meta SARE_HTML_URI_OBFU4a __SARE_HEAD_FALSE +meta SARE_HTML_URI_PARTID __SARE_HEAD_FALSE +meta SARE_HTML_URI_RID __SARE_HEAD_FALSE +meta SARE_HTML_USL_MULT __SARE_HEAD_FALSE +meta SARE_HTML_FONT_EBEF __SARE_HEAD_FALSE +meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE +meta SARE_HTML_INV_TAGA __SARE_HEAD_FALSE +meta SARE_HTML_EHTML_OBFU __SARE_HEAD_FALSE +meta SARE_HTML_HEAD_AFFIL __SARE_HEAD_FALSE +meta SARE_HTML_LEAKTHRU1 __SARE_HEAD_FALSE +meta SARE_HTML_LEAKTHRU2 __SARE_HEAD_FALSE +meta SARE_HTML_ONE_LINE3 __SARE_HEAD_FALSE +meta SARE_HTML_POB1200 __SARE_HEAD_FALSE +meta SARE_HTML_URI_HIDADD __SARE_HEAD_FALSE +meta SARE_HTML_URI_LOGOGEN __SARE_HEAD_FALSE +meta SARE_HTML_URI_OFF __SARE_HEAD_FALSE +meta SARE_HTML_USL_B7 __SARE_HEAD_FALSE +meta SARE_HTML_USL_B9 __SARE_HEAD_FALSE +meta SARE_PHISH_HTML_01 __SARE_HEAD_FALSE + +######## ###################### ################################################## + +rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a') +rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br') +rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div') +rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font') +rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img') +rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p') +rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre') +rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title') + +rawbody __SARE_HTML_HBODY m''i +rawbody __SARE_HTML_BEHTML m''i +rawbody __SARE_HTML_BEHTML2 m'^'i +rawbody __SARE_HTML_EFONT m'^'i +rawbody __SARE_HTML_EHEB m'^'i +rawbody __SARE_HTML_CMT_CNTR /
/i +describe SARE_HTML_CMT_MONEY HTML Comment seems to mention money +score SARE_HTML_CMT_MONEY 0.100 +#counts SARE_HTML_CMT_MONEY 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04 +#counts SARE_HTML_CMT_MONEY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 + +######## ###################### ################################################## +# Image tag tests +######## ###################### ################################################## + +rawbody SARE_HTML_GIF_NUM /\.gif\d{2,}/i +describe SARE_HTML_GIF_NUM HTML contains tracking numbers after .gif +score SARE_HTML_GIF_NUM 0.100 +#counts SARE_HTML_GIF_NUM 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04 +#counts SARE_HTML_GIF_NUM 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 + +######## ###################### ################################################## +# Paragraphs, breaks, and spacings +######## ###################### ################################################## + +rawbody SARE_HTML_BR_MANY /
{5}/i +describe SARE_HTML_BR_MANY Too many sequential identical HTML tags +score SARE_HTML_BR_MANY 0.555 +#stype SARE_HTML_BR_MANY spamp +#counts SARE_HTML_BR_MANY 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HTML_BR_MANY 2s/0h of 258858 corpus (114246s/144612h RM) 05/27/05 +#counts SARE_HTML_BR_MANY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HTML_BR_MANY 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_BR_MANY 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05 + +rawbody __SARE_HTML_MANY_BR05 /
\s*
\s*
\s*
\s*
\s*
/i +meta SARE_HTML_MANY_BR05 __SARE_HTML_MANY_BR05 && HTML_MESSAGE +describe SARE_HTML_MANY_BR05 Tooo many
's! +score SARE_HTML_MANY_BR05 0.500 +#hist SARE_HTML_MANY_BR05 Contrib by Matt Keller June 7 2004 +#note SARE_HTML_MANY_BR05 Remove HTML_MESSAGE test increases spam 4% but doubles ham +#hist SARE_HTML_MANY_BR05 this and SARE_HTML_MANY_BR10 obsolete SARE_HTML_TD_BR4 = FR_WICKED_SPAM_?? +#counts SARE_HTML_MANY_BR05 0s/0h of 114422 corpus (81069s/33353h RM) 01/16/05 +#alone SARE_HTML_MANY_BR05 2051s/43h of 66351 corpus (40971s/25380h RM) 08/21/04 +#counts SARE_HTML_MANY_BR05 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#max SARE_HTML_MANY_BR05 755s/2h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_MANY_BR05 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05 + +######## ###################### ################################################## +# Javascript and object tests +######## ###################### ################################################## + +rawbody SARE_HTML_JVS_POPUP /'i +rawbody __SARE_HTML_BEHTML m''i +rawbody __SARE_HTML_BEHTML2 m'^'i +rawbody __SARE_HTML_EFONT m'^'i +rawbody __SARE_HTML_EHEB m'^'i +rawbody __SARE_HTML_CMT_CNTR /
/i +describe SARE_HTML_CMT_MONEY HTML Comment seems to mention money +score SARE_HTML_CMT_MONEY 0.100 +#counts SARE_HTML_CMT_MONEY 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04 +#counts SARE_HTML_CMT_MONEY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 + +######## ###################### ################################################## +# Image tag tests +######## ###################### ################################################## + +rawbody SARE_HTML_GIF_NUM /\.gif\d{2,}/i +describe SARE_HTML_GIF_NUM HTML contains tracking numbers after .gif +score SARE_HTML_GIF_NUM 0.100 +#counts SARE_HTML_GIF_NUM 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04 +#counts SARE_HTML_GIF_NUM 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 + +######## ###################### ################################################## +# Paragraphs, breaks, and spacings +######## ###################### ################################################## + +rawbody SARE_HTML_BR_MANY /
{5}/i +describe SARE_HTML_BR_MANY Too many sequential identical HTML tags +score SARE_HTML_BR_MANY 0.555 +#stype SARE_HTML_BR_MANY spamp +#counts SARE_HTML_BR_MANY 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#max SARE_HTML_BR_MANY 2s/0h of 258858 corpus (114246s/144612h RM) 05/27/05 +#counts SARE_HTML_BR_MANY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2 +#counts SARE_HTML_BR_MANY 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_BR_MANY 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05 + +rawbody __SARE_HTML_MANY_BR05 /
\s*
\s*
\s*
\s*
\s*
/i +meta SARE_HTML_MANY_BR05 __SARE_HTML_MANY_BR05 && HTML_MESSAGE +describe SARE_HTML_MANY_BR05 Tooo many
's! +score SARE_HTML_MANY_BR05 0.500 +#hist SARE_HTML_MANY_BR05 Contrib by Matt Keller June 7 2004 +#note SARE_HTML_MANY_BR05 Remove HTML_MESSAGE test increases spam 4% but doubles ham +#hist SARE_HTML_MANY_BR05 this and SARE_HTML_MANY_BR10 obsolete SARE_HTML_TD_BR4 = FR_WICKED_SPAM_?? +#counts SARE_HTML_MANY_BR05 0s/0h of 114422 corpus (81069s/33353h RM) 01/16/05 +#alone SARE_HTML_MANY_BR05 2051s/43h of 66351 corpus (40971s/25380h RM) 08/21/04 +#counts SARE_HTML_MANY_BR05 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#max SARE_HTML_MANY_BR05 755s/2h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_MANY_BR05 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05 + +######## ###################### ################################################## +# Javascript and object tests +######## ###################### ################################################## + +rawbody SARE_HTML_JVS_POPUP /'i +rawbody __SARE_HTML_BEHTML m''i +rawbody __SARE_HTML_BEHTML2 m'^'i +rawbody __SARE_HTML_EFONT m'^'i +rawbody __SARE_HTML_EHEB m'^'i +rawbody __SARE_HTML_CMT_CNTR /
+#ham SARE_HTML_HTML_BEFORE > and II> (quoted emails, with HTML tag after the > quote indicator) +#counts SARE_HTML_HTML_BEFORE 2203s/811h of 333405 corpus (262498s/70907h RM) 05/12/06 +#counts SARE_HTML_HTML_BEFORE 360s/28h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_HTML_BEFORE 751s/38h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_HTML_BEFORE 27s/45h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_HTML_BEFORE 40s/45h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#counts SARE_HTML_HTML_BEFORE 43s/5h of 11260 corpus (6568s/4692h CT) 06/17/05 +#counts SARE_HTML_HTML_BEFORE 0s/27h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_HTML_BEFORE 353s/17h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_HTML_BEFORE 762s/14h of 47221 corpus (42968s/4253h MY) 06/18/05 + +######## ###################### ################################################## +# Spamsign character sets and fonts +######## ###################### ################################################## + +rawbody SARE_HTML_BAD_FG_CLR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\">])(?!$|"|\#?(?!\#)(?:[a-f0-9]{3}(?:['";\s><}&]|$)|[a-f0-9]{6}0?(?:['";\s><}&]|$))|rgb\(\s{0,10}(?:25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])\s{0,10},\s{0,10}(?:25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])\s{0,10},\s{0,10}(?:25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])\s{0,10}\)|rgb\(\s{0,10}1?[0-9]?[0-9]%\s{0,10},\s{0,10}1?[0-9]?[0-9]%\s{0,10},\s{0,10}1?[0-9]?[0-9]%\)|transparent|Black|White|Red|Yellow|Lime|Aqua|Blue|Fuchsia|Gr[ae]y|Silver|Maroon|Olive|Green|Teal|Navy|Purple|AliceBlue|AliceBlue|AntiqueWhite|Aqua|Aquamarine|Azure|Beige|Bisque|Black|BlanchedAlmond|Blue|BlueViolet|Brown|BurlyWood|CadetBlue|Chartreuse|Chocolate|Coral|CornflowerBlue|Cornsilk|Crimson|Cyan|DarkBlue|DarkCyan|DarkGoldenrod|DarkGr[ae]y|DarkGreen|DarkKhaki|DarkMagenta|DarkOliveGreen|DarkOrange|DarkOrchid|DarkRed|DarkSalmon|DarkSeaGreen|DarkSlateBlue|DarkSlateGray|DarkTurquoise|DarkViolet|DeepPink|DeepSkyBlue|DimGray|DodgerBlue|FireBrick|FloralWhite|ForestGreen|Fuchsia|Gainsboro|GhostWhite|Gold|Goldenrod|Gr[ae]y|Green|GreenYellow|Honeydew|HotPink|IndianRed|Indigo|Ivory|Khaki|Lavender|LavenderBlush|LawnGreen|LemonChiffon|LightBlue|LightCoral|LightCyan|LightGoldenrodYellow|LightGreen|LightGrey|LightPink|LightSalmon|LightSeaGreen|LightSkyBlue|LightSlateGray|LightSteelBlue|LightYellow|Lime|LimeGreen|Linen|Magenta|Maroon|MediumAquamarine|MediumBlue|MediumOrchid|MediumPurple|MediumSeaGreen|MediumSlateBlue|MediumSpringGreen|MediumTurquoise|MediumVioletRed|MidnightBlue|MintCream|MistyRose|Moccasin|NavajoWhite|Navy|OldLace|Olive|OliveDrab|Orange|OrangeRed|Orchid|PaleGoldenrod|PaleGreen|PaleTurquoise|PaleVioletRed|PapayaWhip|PeachPuff|Peru|Pink|Plum|PowderBlue|Purple|Red|RosyBrown|RoyalBlue|SaddleBrown|Salmon|SandyBrown|SeaGreen|Seashell|Sienna|Silver|SkyBlue|SlateBlue|SlateGray|Snow|SpringGreen|SteelBlue|Tan|Teal|Thistle|Tomato|Turquoise|Violet|Wheat|White|WhiteSmoke|Yellow|YellowGreen|ActiveBorder|ActiveCaption|AppWorkspace|Background|Buttonface|ButtonHighlight|ButtonShadow|ButtonText|CaptionText|GrayText|Highlight|HighlightText|InactiveBorder|InactiveCaption|InactiveCaptionText|InfoBackground|InfoText|Menu|MenuText|Scrollbar|ThreeDDarkShadow|ThreeDFace|ThreeDHighlight|ThreeDLightShadow|ThreeDShadow|Window(?:Frame|WindowText)?).{1,15}/i +score SARE_HTML_BAD_FG_CLR 0.188 +describe SARE_HTML_BAD_FG_CLR Uses illegal color code +#counts SARE_HTML_BAD_FG_CLR 1253s/470h of 333405 corpus (262498s/70907h RM) 05/12/06 +#counts SARE_HTML_BAD_FG_CLR 206s/7h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_BAD_FG_CLR 37s/5h of 11260 corpus (6568s/4692h CT) 06/17/05 +#counts SARE_HTML_BAD_FG_CLR 253s/98h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_BAD_FG_CLR 0s/25h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_BAD_FG_CLR 52s/11h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_BAD_FG_CLR 156s/1h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_BAD_FG_CLR 124s/32h of 23099 corpus (17359s/5740h MY) 05/14/06 + +rawbody SARE_HTML_COLOR_A /(?:style="?|]*>)[^>"]*[^-]color\s*:\s*(?!\#ffffff)\#(?:[e-f]{3}\b|(?:[e-f][0-9a-f]){3})[^>]*>/i +describe SARE_HTML_COLOR_A BAD STYLE: color: too light (rgb) +score SARE_HTML_COLOR_A 0.150 +#hist SARE_HTML_COLOR_A From Jesse Houwing May 14 2004 +#overlap SARE_HTML_COLOR_A Spam overlaps SARE_HTML_FSIZE_1ALL (ham does not) +#counts SARE_HTML_COLOR_A 79s/109h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_COLOR_A 149s/306h of 258858 corpus (114246s/144612h RM) 05/27/05 +#counts SARE_HTML_COLOR_A 4s/12h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_COLOR_A 38s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_COLOR_A 283s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_COLOR_A 16s/13h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_COLOR_A 137s/5h of 26326 corpus (22886s/3440h MY) 02/15/05 +#counts SARE_HTML_COLOR_A 11s/0h of 11260 corpus (6568s/4692h CT) 06/17/05 +#max SARE_HTML_COLOR_A 33s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 +#counts SARE_HTML_COLOR_A 0s/25h of 6804 corpus (1336s/5468h ft) 06/17/05 + +meta SARE_HTML_COLOR_NWHT ( __SARE_HTML_COLOR_NWH || __SARE_HTML_COLOR_NWH2 ) && !__SARE_HTML_COLOR_WH && !__SARE_BLACK_BG_COLOR +describe SARE_HTML_COLOR_NWHT HTML contains nearly white color (F.F.F.) +score SARE_HTML_COLOR_NWHT 0.623 +#hist SARE_HTML_COLOR_NWHT Contrib by Matt Keller June 7 2004 +#counts SARE_HTML_COLOR_NWHT 1453s/174h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_COLOR_NWHT 3678s/637h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_COLOR_NWHT 406s/30h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_COLOR_NWHT 876s/61h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_COLOR_NWHT 725s/12h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_COLOR_NWHT 835s/12h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#counts SARE_HTML_COLOR_NWHT 36s/3h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_COLOR_NWHT 214s/0h of 26326 corpus (22886s/3440h MY) 02/15/05 +#counts SARE_HTML_COLOR_NWHT 3s/4h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_HTML_COLOR_NWHT 60s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_HTML_COLOR_NWHT 106s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 + +meta SARE_HTML_COLOR_NWHT2 ( __SARE_LIGHT_FG_COLOR && !__SARE_WHITE_FG_COLOR && !__SARE_BLACK_BG_COLOR && !SARE_HTML_COLOR_NWHT ) +describe SARE_HTML_COLOR_NWHT2 Light color on a white background +score SARE_HTML_COLOR_NWHT2 0.630 +#hist SARE_HTML_COLOR_NWHT2 Jesse Houwing +#counts SARE_HTML_COLOR_NWHT2 91s/39h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_COLOR_NWHT2 950s/17h of 269462 corpus (128310s/141152h RM) 06/17/05 +#counts SARE_HTML_COLOR_NWHT2 44s/1h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_COLOR_NWHT2 225s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_COLOR_NWHT2 282s/8h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_COLOR_NWHT2 37s/9h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_COLOR_NWHT2 621s/2h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_COLOR_NWHT2 0s/2h of 4676 corpus (808s/3868h ft) 05/28/05 +#counts SARE_HTML_COLOR_NWHT2 120s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_HTML_COLOR_NWHT2 159s/0h of 11260 corpus (6568s/4692h CT) 06/17/05 + +rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i +rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i +rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i +rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i +rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i +rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i +rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i +rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i +rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i +rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i +rawbody __SARE_HTML_COLOR_WH /<[^>]+\Wcolor(:|=(3d)?)[\s\"\']*(white|\#?FFFFFF)\b/i +rawbody __SARE_HTML_COLOR_NWH /<[^>]+\Wcolor(:|=(3d)?)[\s\"\']*\#?F.F.F./i +rawbody __SARE_HTML_COLOR_NWH2 /<[^>]+\Wcolor(:|=(3d)?)[\s\"\']*\#?(E.F.F.|F.E.F.|F.F.E.)/i + +meta SARE_HTML_COLOR_NWHT3 ( __SARE_LIGHT_FG_COLOR && __SARE_LIGHT_BG_COLOR && !SARE_HTML_COLOR_NWHT ) +describe SARE_HTML_COLOR_NWHT3 Light color on a light background +score SARE_HTML_COLOR_NWHT3 0.254 +#hist SARE_HTML_COLOR_NWHT3 Jesse Houwing +#counts SARE_HTML_COLOR_NWHT3 172s/74h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_COLOR_NWHT3 253s/347h of 258858 corpus (114246s/144612h RM) 05/27/05 +#counts SARE_HTML_COLOR_NWHT3 58s/9h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_COLOR_NWHT3 113s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_COLOR_NWHT3 108s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_COLOR_NWHT3 0s/4h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_COLOR_NWHT3 8s/1h of 11260 corpus (6568s/4692h CT) 06/17/05 +#counts SARE_HTML_COLOR_NWHT3 21s/16h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_COLOR_NWHT3 33s/7h of 47221 corpus (42968s/4253h MY) 06/18/05 + +rawbody SARE_HTML_FONT_INVIS1 /color="\#FFFFF[0-9A-E]"/i +describe SARE_HTML_FONT_INVIS1 Message contains nearly white color text +score SARE_HTML_FONT_INVIS1 1.242 +#overlap SARE_HTML_FONT_INVIS1 Significant overlap with SARE_HTML_COLOR_NWH1 +#counts SARE_HTML_FONT_INVIS1 914s/17h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_FONT_INVIS1 3891s/239h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_FONT_INVIS1 441s/0h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_FONT_INVIS1 474s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_FONT_INVIS1 570s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_FONT_INVIS1 4s/0h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_FONT_INVIS1 26s/0h of 26326 corpus (22886s/3440h MY) 02/15/05 +#counts SARE_HTML_FONT_INVIS1 65s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_HTML_FONT_INVIS1 3s/2h of 7500 corpus (1767s/5733h ft) 09/18/05 + +rawbody SARE_HTML_FSIZE_1ALL /(?:style=(?:3d)?"?|]*>)[^>"]*font(?:-size)?\s{0,10}:[\s'"]*\b(?:-?0*([0-5](?:\.\d+)?\s{0,10}(?:(?!px|pt|%|em|in|mm|cm|pc|px|pt)[^\d\s]|(?:px|pt))|(?:[0-4]0|[0-9])?(?:\.\d+)?\s{0,10}%|(?:\.[0-4]\d*)\s{0,10}em|0(?:\.\d*)?\s{0,10}(?:ex|mm)|(?:\.0\d*)?\s{0,10}in|0\.(?:[01]\d*)?\s{0,10}cm|\.0(?:[0-3]\d*)?\s{0,10}pc)|xx-small)[^>]*>/i +describe SARE_HTML_FSIZE_1ALL BAD STYLE: font(?:-size) too small +score SARE_HTML_FSIZE_1ALL 0.217 +#hist SARE_HTML_FSIZE_1ALL Performance & reliability improvements by Jesse Houwing +#counts SARE_HTML_FSIZE_1ALL 652s/414h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_FSIZE_1ALL 3040s/133h of 196718 corpus (96193s/100525h RM) 02/22/05 +#counts SARE_HTML_FSIZE_1ALL 47s/33h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_FSIZE_1ALL 679s/105h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_FSIZE_1ALL 722s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_FSIZE_1ALL 1214s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_FSIZE_1ALL 112s/11h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_FSIZE_1ALL 415s/7h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_FSIZE_1ALL 6s/44h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_FSIZE_1ALL 174s/6h of 11260 corpus (6568s/4692h CT) 06/17/05 +#max SARE_HTML_FSIZE_1ALL 232s/5h of 10826 corpus (6364s/4462h CT) 05/28/05 + +rawbody SARE_HTML_INV_CHARSET /charset=(?:3D)?(?!3D)(?:["']|"|\s)*(?!['"]|"|\s)(?!$|x-euc-jp|Cp1252|iso-8851-15|windows-874|ansi|unicode|437|8(?:5[01257]|6[0123569])|904|a(?:dobe\-s(?:tandard|ymbol)\-encoding|mi(?:ga\-?|\-)?1251|nsi_x3\.(?:110\-1983|4\-19(?:68|86))|rabic7?|s(?:cii|mo(?:\-708|_449)))|b(?:ig5(?:\-hkscs)?|ocu\-1|s_(?:4730|viewdata))|c(?:csid0(?:0(?:858|924)|114[0123456789])|esu\-8|hinese|p(?:0(?:0(?:858|924)|114[0123456789]|3[78])|1(?:026|54)|2(?:7[3458]|8[0145]|9[07])|367|4(?:2[034]|37)|500|775|8(?:19|5[01257]|6\d|7[01]|80|91)|9(?:0[345]|18|36)|\-(?:ar|gr|is))|s(?:a(?:7\-[12]|_(?:t500\-1983|z243\.4\-1985\-(?:gr|[12]))|dobestandardencoding|scii)|b(?:ig5|ocu\-1)|cesu\-8|d(?:ecmc|ku)s|e(?:bcdic(?:atdea|cafr|dknoa?|es[as]?|f(?:isea?|r)|it|pt|u[ks])|uc(?:fixwidjapanese|kr|pkdfmtjapanese))|gb2312|h(?:alfwidthkatakana|p(?:desktop|legal|math8|p(?:ifont|smath)|roman8))|i(?:b(?:bm904|m(?:03[78]|1026|2(?:7[34578]|8[0145]|9[07])|42[034]|500|8(?:5[157]|6[01345689]|7[01]|80|91)|9(?:0[35]|18)|ebcdicatde|symbols|thai))|nvariant|so(?:1(?:0(?:2t617bit|3(?:67box|t618bit)|646utf1|swedish)|1(?:1ecmacyrillic|swedishfornames)|2(?:1canadian1|2canadian2|3csaz24341985gr|8t101g2)|3(?:9csn369103|jisc6220jp)|4(?:1jusib1002|3iecp271|6serbian|7macedonian|jisc6220ro)|5(?:0greekccitt|1cuba|3gost1976874|8lap|9jisx02121990|italian|0)|6portuguese|7spanish|8greek7old|9latingreek)|2(?:0(?:22(?:jp2?|kr)|33)|1german|5french|7latingreek1|intlrefversion)|4(?:2jisc62261978|7bsviewdata|9inis|unitedkingdom)|5(?:0inis8|1iniscyrillic|42(?:7cyrillic|8greek)|7gb1988|8gb231280)|6(?:0(?:danishnorwegian|norwegian1)|1norwegian2|46(?:basic1983|danish)|9(?:37add|french))|70videotexsupp1|8(?:4portuguese2|5spanish2|6hungarian|7jisx0208|8(?:59(?:6[ei]|8[ei]|supp)|greek7)|9asmo449)|9(?:1jisc62291984a|2jisc62991984b|3jis62291984badd|4jis62291984hand|5jis62291984handadd|6jisc62291984kana|9naplps|0)|latin(?:arabic|cyrillic|greek|hebrew|[123456])|textcomm))|jisencoding|k(?:oi8r|sc56(?:011987|36))|m(?:acintosh|icrosoftpublishing|nem(?:onic)?)|n(?:_369103|ats(?:dano(?:add)?|sefi(?:add)?))|p(?:c(?:775baltic|8(?:50multilingual|62latinhebrew|codepage437|danishnorwegian|turkish)|p852)|tcp154)|shiftjis|u(?:cs4|n(?:icode(?:11(?:utf7)?|ascii|ibm12(?:6[1458]|76)|latin1)?|known8bit)|sdk)|v(?:entura(?:international|math|us)|i(?:qr|scii))|windows3(?:0latin1|1(?:latin[125]|j)))|uba|yrillic(?:\-asian)?|[an])|d(?:ec(?:\-mcs)?|in_66003|k\-us|s_?2089|[ek])|e(?:13b|bcdic\-(?:at\-de(?:\-a)?|b[er]|c(?:a\-fr|p\-(?:ar[12]|be|c[ah]|dk|es|f[ir]|g[br]|he|i[st]|n[lo]|roece|se|tr|us|wt|yu)|yrillic)|d(?:e\-273\+euro|k\-(?:277\+euro|no(?:\-a)?))|es(?:\-(?:284\+euro|[as]))?|f(?:i\-(?:278\+euro|se(?:\-a)?)|r\-297\+euro|r)|gb\-285\+euro|i(?:nt(?:ernational\-500\+euro)?|s\-871\+euro|t\-280\+euro|t)|jp\-(?:kana|e)|latin9\-\-euro|no\-277\+euro|pt|se\-278\+euro|u(?:s\-37\+euro|[ks]))|cma\-(?:11[48]|cyrillic)|lot_928|s2|uc\-(?:jp|kr)|xtended_unix_code_(?:fixed_width|packed_format)_for_japanese|s)|f[ir]|g(?:b(?:18030|2312|_(?:1988|2312)\-80|k)|ost_19768\-74|reek(?:7\-old|\-ccitt|[78])?|b)|h(?:ebrew|p\-(?:desktop|legal|math8|pi\-font|roman8)|z\-gb\-2312|u)|i(?:bm(?:0(?:0(?:858|924)|114[0123456789]|3[78])|10(?:26|47)|2(?:7[34578]|8[0145]|9[07])|367|4(?:2[034]|37)|500|775|8(?:19|5[01257]|6\d|7[01]|80|91)|9(?:0[345]|18)|\-(?:1047|symbols|thai))|ec_p27\-1|n(?:is(?:\-(?:cyrillic|8))?|variant)|rv|so(?:5427cyrillic1981|646\-(?:c(?:a2|[anu])|d[ek]|es2?|f(?:r1|[ir])|gb|hu|it|jp(?:\-ocr\-b)?|kr|no2?|pt2?|se2?|us|yu)|\-(?:10646(?:\-(?:j\-1|u(?:cs\-(?:basic|[24])|nicode\-latin1|tf\-1)))?|2022\-(?:cn(?:\-ext)?|jp(?:\-2)?|kr)|8859\-(?:1(?:\-windows\-3\.[01]\-latin\-1|[03456])|2\-windows\-latin\-2|6\-[ei]|8\-[ei]|9\-windows\-latin\-5|[123456789])|celtic|ir\-(?:1(?:0[01239]|1[01]|2[123678]|3[89]|4[12346789]|5[012345789]|99|[013456789])|2(?:26|[157])|37|4[279]|5[014578]|6[019]|70|8(?:\-[12]|[456789])|9(?:\-[12]|\d)|[246])|unicode\-ibm\-12(?:6[1458]|76))|_(?:10367\-box|2033\-1983|542(?:7\:1981|8\:1980|7)|6(?:46\.(?:basic\:1983|irv\:19(?:83|91))|937\-2\-(?:25|add))|8859\-(?:1(?:0\:1992|4\:1998|6\:2001|\:1987|[456])|2\:1987|3\:1988|4\:1988|5\:1988|6(?:\-[ei]|\:1987)|7\:1987|8(?:\-[ei]|\:1988)|9\:1989|supp|[123456789])|9036))|t)|j(?:is_(?:c622(?:0\-1969(?:\-(?:jp|ro))?|6\-19(?:78|83)|9\-1984\-(?:b\-add|hand(?:\-add)?|kana|[ab]))|encoding|x02(?:0(?:8\-1983|1)|12\-1990))|p\-ocr\-(?:b\-add|hand(?:\-add)?|[ab])|us_i\.b1\.00(?:3\-(?:mac|serb)|2)|[ps])|k(?:atakana|o(?:i(?:7\-switched|8\-[eru])|rean)|s(?:_c_5601\-198[79]|c(?:5636|_5601)))|l(?:10|a(?:tin(?:1(?:\-2\-5|0)|\-(?:greek(?:\-1)?|lap|9)|[1234568])|p)|[1234568])|m(?:ac(?:edonian|intosh)?|icrosoft\-publishing|nem(?:onic)?|s(?:936|_kanji|z_7795\.3))|n(?:a(?:plps|ts\-(?:dano(?:\-add)?|sefi(?:\-add)?))|c_nc00\-10\:81|f_z_62\-010(?:_\(1973\))?|o2|s_4551\-[12]|o)|osd_ebcdic_df0(?:3_irv|4_15?)|p(?:c(?:8\-(?:danish\-norwegian|turkish)|\-multilingual\-850\+euro)|t(?:154|cp154|2)|t)|r(?:ef|oman8|8)|s(?:csu|e(?:n_850200_[bc]|rbian|2)|hift_jis|t_sev_358\-88|e)|t(?:\.(?:101\-g2|61(?:\-[78]bit)?)|is\-620)|u(?:n(?:icode\-1\-1(?:\-utf\-7)?|known\-8bit)|s\-(?:ascii|dk)|tf\-(?:16(?:be|le)?|32(?:be|le)?|[78])|[ks])|v(?:entura\-(?:international|math|us)|i(?:deotex\-suppl|qr|scii))|windows\-(?:125[012345678]|31j|936)|x02(?:0(?:1\-7|[18])|12)|yu)[a-z0-9._-]*(?![a-z0-9._-])(?!=)/i +describe SARE_HTML_INV_CHARSET Illegal chracterset in message +score SARE_HTML_INV_CHARSET 0.554 +#counts SARE_HTML_INV_CHARSET 188s/10h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_INV_CHARSET 340s/214h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_INV_CHARSET 3s/12h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_INV_CHARSET 58s/14h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_INV_CHARSET 111s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_INV_CHARSET 130s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#counts SARE_HTML_INV_CHARSET 18s/1h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_INV_CHARSET 35s/1h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_INV_CHARSET 1s/0h of 11260 corpus (6568s/4692h CT) 06/17/05 +#max SARE_HTML_INV_CHARSET 4s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 + +######## ###################### ################################################## +# Tag Tests +######## ###################### ################################################## + +rawbody SARE_HTML_TITLE_EMAIL /<TITLE>.*\@[\w.]+\.(?:com|info|net|org)<\/title>/i +describe SARE_HTML_TITLE_EMAIL HTML Title seems to include email address +score SARE_HTML_TITLE_EMAIL 0.346 +#ham SARE_HTML_TITLE_EMAIL service@payscale.com +#counts SARE_HTML_TITLE_EMAIL 11s/19h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_TITLE_EMAIL 82s/11h of 175738 corpus (98979s/76759h RM) 02/14/05 +#counts SARE_HTML_TITLE_EMAIL 0s/0h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_TITLE_EMAIL 3s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_TITLE_EMAIL 0s/0h of 32903 corpus (9660s/23243h JH) 05/24/04 +#counts SARE_HTML_TITLE_EMAIL 14s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 +#counts SARE_HTML_TITLE_EMAIL 109s/2h of 23099 corpus (17359s/5740h MY) 05/14/06 + +######## ###################### ################################################## +# <A> and HREF rules +######## ###################### ################################################## + +rawbody __SARE_HTML_INCREDML m{content=3D"IncrediMail} +rawbody __SARE_HTML_A_HIDE m{<A HREF=3D\".+}i +meta SARE_HTML_A_HIDE __SARE_HTML_A_HIDE && !__SARE_HTML_INCREDML +describe SARE_HTML_A_HIDE contains HTML anchor href with = hidden +score SARE_HTML_A_HIDE 0.700 +#ham SARE_HTML_A_HIDE forward of a forward, strangely wrapped mail. +#counts SARE_HTML_A_HIDE 154s/6h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_A_HIDE 373s/174h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_A_HIDE 12s/0h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_A_HIDE 27s/1h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_A_HIDE 128s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_A_HIDE 152s/0h of 32900 corpus (9656s/23244h JH) 05/24/04 +#counts SARE_HTML_A_HIDE 0s/4h of 57287 corpus (52272s/5015h MY) 09/22/05 +#max SARE_HTML_A_HIDE 30s/2h of 26326 corpus (22886s/3440h MY) 02/15/05 +#counts SARE_HTML_A_HIDE 17s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_HTML_A_HIDE 68s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 + +######## ###################### ################################################## +# Invalid or Suspicious URI Tests +######## ###################### ################################################## + +uri SARE_HTML_URI_2SLASH m{\//..{20,80}(?<!http:)//}i +describe SARE_HTML_URI_2SLASH URI has additional double slash within it +score SARE_HTML_URI_2SLASH 0.209 +#counts SARE_HTML_URI_2SLASH 1121s/661h of 333405 corpus (262498s/70907h RM) 05/12/06 +#counts SARE_HTML_URI_2SLASH 299s/50h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_URI_2SLASH 1616s/27h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_URI_2SLASH 27s/8h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_URI_2SLASH 50s/3h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_URI_2SLASH 108s/21h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_URI_2SLASH 418s/15h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_URI_2SLASH 1s/74h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_URI_2SLASH 19s/6h of 11260 corpus (6568s/4692h CT) 06/17/05 + +rawbody __SARE_HTML_URR_OBFU3 /(&\#\d{1,3};){4}/i +describe __SARE_HTML_URR_OBFU3 URI with obfuscated destination +#hist __SARE_HTML_URR_OBFU3 Mike Kuentz +#hist __SARE_HTML_URR_OBFU3 Generalization/expansion suggested by Loren Wilton +rawbody __SARE_HTML_URR_MAILTO m'(?:mailto|\&\#109;\&\#97;\&\#105;\&\#108;\&\#116;\&\#111;)(?:\&\#58;|:)' +rawbody __SARE_HTML_URR_OBMAIL /\&\#109;\&\#97;\&\#105;\&\#108;\&\#116;\&\#111;/ +meta SARE_HTML_URR_OBFU3B __SARE_HTML_URR_OBFU3 && !__SARE_HTML_URR_MAILTO && !__SARE_HTML_URR_OBMAIL +describe SARE_HTML_URR_OBFU3B URI with obfuscated destination +score SARE_HTML_URR_OBFU3B 0.257 +#overlap SARE_HTML_URR_OBFU3B Removed SARE_HTML_URR_OBFU6 and SARE_HTML_URR_OBFU2 due to overlap: m'\&\#104;\&\#116;\&\#116;\&\#112;' and /(&\#119;){3}/ +#counts SARE_HTML_URR_OBFU3B 86s/40h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_URR_OBFU3B 169s/109h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_URR_OBFU3B 5s/5h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_URR_OBFU3B 118s/3h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_URR_OBFU3B 7s/0h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_URR_OBFU3B 62s/0h of 13451 corpus (11340s/2111h MY) 06/02/04 +#counts SARE_HTML_URR_OBFU3B 2s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_URR_OBFU3B 106s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_URR_OBFU3B 13s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 + +######## ###################### ################################################## +# Image tag tests +######## ###################### ################################################## + +######## ###################### ################################################## +# Paragraphs, breaks, and spacings +######## ###################### ################################################## + +full SARE_HTML_MANY_BR10 /(:?<br>\s?){10}/is +describe SARE_HTML_MANY_BR10 Multiple consecutive line breaks within HTML +score SARE_HTML_MANY_BR10 0.648 +#hist SARE_HTML_MANY_BR10 Submitted as LW_BR (sequence of 8) +#counts SARE_HTML_MANY_BR10 2003s/201h of 333405 corpus (262498s/70907h RM) 05/12/06 +#counts SARE_HTML_MANY_BR10 477s/4h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_MANY_BR10 980s/21h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_MANY_BR10 517s/9h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_MANY_BR10 797s/9h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#counts SARE_HTML_MANY_BR10 43s/4h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_MANY_BR10 538s/2h of 13454 corpus (11339s/2115h MY) 06/02/04 +#counts SARE_HTML_MANY_BR10 0s/10h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_MANY_BR10 178s/1h of 11260 corpus (6568s/4692h CT) 06/17/05 + +rawbody SARE_HTML_P_JUSTIFY /p align=justify/i +describe SARE_HTML_P_JUSTIFY uses align=justify paragraph +score SARE_HTML_P_JUSTIFY 0.409 +#counts SARE_HTML_P_JUSTIFY 90s/42h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_P_JUSTIFY 208s/128h of 258858 corpus (114246s/144612h RM) 05/27/05 +#counts SARE_HTML_P_JUSTIFY 45s/9h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_P_JUSTIFY 109s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_P_JUSTIFY 118s/11h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#counts SARE_HTML_P_JUSTIFY 16s/1h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_P_JUSTIFY 56s/1h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_P_JUSTIFY 0s/2h of 6804 corpus (1336s/5468h ft) 06/17/05 +#counts SARE_HTML_P_JUSTIFY 44s/0h of 11260 corpus (6568s/4692h CT) 06/17/05 +#max SARE_HTML_P_JUSTIFY 58s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 + +######## ###################### ################################################## +# Suspicious tag combinations +######## ###################### ################################################## + +######## ###################### ################################################## +# Paragraphs, breaks, and spacings +######## ###################### ################################################## + +######## ###################### ################################################## +# Useless tags (tag structures that do nothing) +# Largely submitted by Matt Yackley, with contributions by +# Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson +######## ###################### ################################################## + +######## ###################### ################################################## +# Miscellaneous tag tests +######## ###################### ################################################## + +rawbody SARE_HTML_LEFT /<left>/i +describe SARE_HTML_LEFT HTML has strange tag +score SARE_HTML_LEFT 0.194 +#counts SARE_HTML_LEFT 16s/5h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_LEFT 29s/2h of 114422 corpus (81069s/33353h RM) 01/16/05 +#counts SARE_HTML_LEFT 0s/0h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_LEFT 2s/0h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_LEFT 2s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05 +#max SARE_HTML_LEFT 4s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_LEFT 1s/0h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_LEFT 2s/0h of 47221 corpus (42968s/4253h MY) 06/18/05 +#counts SARE_HTML_LEFT 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_HTML_LEFT 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05 + +body __TAG_EXISTS_BODY eval:html_tag_exists('body') +body __TAG_EXISTS_HTML eval:html_tag_exists('html') +meta SARE_HTML_NO_HTML1 ( __TAG_EXISTS_BODY && !__TAG_EXISTS_HTML) +describe SARE_HTML_NO_HTML1 No body tag found in HTML email +score SARE_HTML_NO_HTML1 0.732 +#counts SARE_HTML_NO_HTML1 8421s/226h of 333405 corpus (262498s/70907h RM) 05/12/06 +#max SARE_HTML_NO_HTML1 11805s/1335h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_HTML_NO_HTML1 189s/30h of 56053 corpus (51711s/4342h AxB2) 05/15/06 +#counts SARE_HTML_NO_HTML1 709s/16h of 155688 corpus (104077s/51611h DOC) 05/15/06 +#counts SARE_HTML_NO_HTML1 239s/9h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05 +#max SARE_HTML_NO_HTML1 139s/7h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04 +#counts SARE_HTML_NO_HTML1 163s/10h of 23099 corpus (17359s/5740h MY) 05/14/06 +#max SARE_HTML_NO_HTML1 391s/7h of 57287 corpus (52272s/5015h MY) 09/22/05 +#counts SARE_HTML_NO_HTML1 9s/3h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_HTML_NO_HTML1 47s/2h of 6944 corpus (3188s/3756h CT) 05/19/04 +#counts SARE_HTML_NO_HTML1 21s/12h of 7500 corpus (1767s/5733h ft) 09/18/05 + +# EOF diff --git a/common/sare/70_sare_oem.cf b/common/sare/70_sare_oem.cf new file mode 100644 index 0000000..a8dbe38 --- /dev/null +++ b/common/sare/70_sare_oem.cf @@ -0,0 +1,294 @@ +# SARE OEM Ruleset for SpamAssassin 2.5x and higher +# Version: 1.05.14 +# Created: 2004-04-14 +# Modified: 2005-12-27 +# Changes: +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Fred Tarasevicius tech2@i-is.com w/ Additions by Jesse Houwing j.houwing@rulesemporium.com +# Current Home: http://www.rulesemporium.com/rules/70_sare_oem.cf +# Requirements: SpamAssassin 2.5x or higher +# SA 3.0 compliant: Yes +# RULES TO CATCH PEOPLE TRYING TO SELL OEM SOFTWARE TO CONSUMERS. +# +# +# +## ADDED TO RULESET +# Microsoft Windows 2000 Professional +# Microsoft Windows 2003 Server +# Microsoft Windows XP Media Center Edition +# Microsoft Windows XP PRO/HOME +# Microsoft Windows Small Business Server 2003 Standard Edition +# Microsoft Office XP +# Microsoft Office 2003 +# Microsoft Office Publisher +# Microsoft Project 2002 +# Microsoft SQL Server 2000 Enterprise Edition +# Microsoft Visual Studio +# Microsoft Visio 2004 +# Microsoft Money 2004 +# Microsoft FrontPage 2003 +# Norton System Works 2003 Deluxe +# Norton Antivirus Corporate Edition 2003 +# Adobe Acrobat 6.0 Pro +# Adobe Creative Suite +# Adobe Illustrator 10 +# Adobe In Design 2.0 +# Adobe InDesign 2 +# Adobe PageMaker 7.01 +# Adobe Photoshop 7 +# Adobe Photoshop Elements 2 +# Adobe Premiere +# 3D Studio Max +# AutoCAD 2005 +# Chief Architect 9.0 +# Cool Edit Pro v2.1 +# Corel Draw 12 Graphic Suite +# Corel Draw 11 Graphic Suite +# Corel Painter 8 +# Dragon Naturally Speaking +# DVDXCopy Platinum 4.0.38 +# DVDXCopy Platinum v3.2.1 +# EasyRecovery +# Macromedia Dreamweaver MX +# Macromedia Fireworks MX +# Macromedia Flash MX +# Macromedia Studio MX +# Mathematica 5.0 +# Nero Burning ROM 6 Ultra Edition +# Nero 6 Ultra +# PowerQuest Drive Image 7 +# QuarkXPress 5.01 +# QuarkXpress 6 +# Sonic Foundry DVD Architect 1.0c +# Winfax PRO 10 +# WordPerfect Office 10 +# +## + + + +# Popular sets. +body __OEM_ADOBE_1 /Ad[o0]b[e3] In ?Design/i +body __OEM_ADOBE_2 /Ph[o0]t[o0]sh[o0]{1,2}p (?:[5678]|CS|Elements)/i +body __OEM_ADOBE_3 /Ad[o0]b[e3] Acrobat \d\.?\d? Pro/i +body __OEM_ADOBE_4 /Ad[o0]b[e3] Creative Suite/i +body __OEM_ADOBE_5 /Ad[o0]b[e3] Illustrator \d\d/i +body __OEM_ADOBE_6 /Ad[o0]b[e3] Premiere/i +body __OEM_ADOBE_7 /Ad[o0]b[e3] PageMaker \d/i +body __OEM_MACROMED_1 /Macromedia Dreamwe?aver MX/i +body __OEM_MACROMED_2 /Fireworks MX/i +body __OEM_MACROMED_3 /Macromedia Flash MX/i +body __OEM_MACROMED_4 /Macromedia Studio MX/i +body __OEM_MACROMED_5 /Studio MX \d{4}/i +body __OEM_MS_1 /W[i|]nd[o0]ws (?:NT 4\.0|98 Second|2[0O]{2}3 Server|2[0O]{3} Pr[o0]|XP Media Center|XP (?:Pr[o0]|H[o0]me|C[o0]rp)|Small)/i +body __OEM_MS_2 /[O0]ff[i|]ce (?:XP|2[0O][0O]\d|Small|Publisher|System Pro)/i +body __OEM_MS_3 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Visual Studio/i +body __OEM_MS_4 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Visio 200\d/i +body __OEM_MS_5 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Money 200\d/i +body __OEM_MS_6 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Project 200\d/i +body __OEM_MS_7 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) SQL Server (?:2000|7)/i +body __OEM_MS_8 /W[i|]nd[o0]w(?:XP|2[0o][0o]3)/i +body __OEM_MS_9 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) FrontPage 2003/i +body __OEM_NORTON_1 /N[o0]rt[o0]n Ant[i|](?:\s*)?v[i|]rus (?:Corporate|200\d|Pr[o0])/i +body __OEM_NORTON_2 /System ?Works (?:Pro)? ?2[0O][0O][34]/i + +# Used in the final meta to check if at least one of this companies prod's were listed. +meta __ONE_PLUS_ADOBE (__OEM_ADOBE_1 || __OEM_ADOBE_2 || __OEM_ADOBE_3 || __OEM_ADOBE_4 || __OEM_ADOBE_5 || __OEM_ADOBE_6 || __OEM_ADOBE_7) +meta __ONE_PLUS_MACROM (__OEM_MACROMED_1 || __OEM_MACROMED_2 || __OEM_MACROMED_3 || __OEM_MACROMED_4 || __OEM_MACROMED_5) +meta __ONE_PLUS_MSOFT (__OEM_MS_1 || __OEM_MS_2 || __OEM_MS_3 || __OEM_MS_4 || __OEM_MS_5 || __OEM_MS_6 || __OEM_MS_7 || __OEM_MS_8 || __OEM_MS_9) +meta __ONE_PLUS_NORTON (__OEM_NORTON_1 || __OEM_NORTON_2) + +meta __MANY_ADOBE_1 ((__OEM_ADOBE_1 + __OEM_ADOBE_2 + __OEM_ADOBE_3 + __OEM_ADOBE_4 + __OEM_ADOBE_5 + __OEM_ADOBE_6 + __OEM_ADOBE_7) > 1) +meta __MANY_MACROM_1 ((__OEM_MACROMED_1 + __OEM_MACROMED_2 + __OEM_MACROMED_3 + __OEM_MACROMED_4 + __OEM_MACROMED_5) > 1) +meta __MANY_MSOFT_1 ((__OEM_MS_1 + __OEM_MS_2 + __OEM_MS_3 + __OEM_MS_4 + __OEM_MS_5 + __OEM_MS_6 + __OEM_MS_7 + __OEM_MS_8 + __OEM_MS_9) > 1) + +meta __MANY_ADOBE_2 ((__OEM_ADOBE_1 + __OEM_ADOBE_2 + __OEM_ADOBE_3 + __OEM_ADOBE_4 + __OEM_ADOBE_5 + __OEM_ADOBE_6 + __OEM_ADOBE_7) > 2) +meta __MANY_MACROM_2 ((__OEM_MACROMED_1 + __OEM_MACROMED_2 + __OEM_MACROMED_3 + __OEM_MACROMED_4 + __OEM_MACROMED_5) > 2) +meta __MANY_MSOFT_2 ((__OEM_MS_1 + __OEM_MS_2 + __OEM_MS_3 + __OEM_MS_4 + __OEM_MS_5 + __OEM_MS_6 + __OEM_MS_7 + __OEM_MS_8 + __OEM_MS_9) > 2) + + +# Catch OEM style price lines +body __WINDOWS_PRICE /windows.{4,40}\$\s?\d\d/i +body __PHOTOSH_PRICE /Photoshop.{4,40}\$\s?\d\d/i +body __CREATIV_PRICE /Creative.{4,40}\$\s?\d\d/i +body __ACROBAT_PRICE /Acrobat.{4,40}\$\s?\d\d/i +body __ILLUSTR_PRICE /Illustrator.{4,40}\$\s?\d\d/i + +meta __POPULAR_PRICES2 ((__WINDOWS_PRICE + __PHOTOSH_PRICE + __CREATIV_PRICE + __ACROBAT_PRICE + __ILLUSTR_PRICE) > 1) +meta SARE_OEM_POP_PRICES3 ((__WINDOWS_PRICE + __PHOTOSH_PRICE + __CREATIV_PRICE + __ACROBAT_PRICE + __ILLUSTR_PRICE) > 2) +score SARE_OEM_POP_PRICES3 1.931 + +meta SARE_OEM_PRODS_FEW ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 1) +meta SARE_OEM_PRODS_1 ((__MANY_ADOBE_1 + __MANY_MACROM_1 + __MANY_MSOFT_1 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 1) +meta SARE_OEM_PRODS_2 ((__MANY_ADOBE_1 + __MANY_ADOBE_2 + __MANY_MACROM_1 + __MANY_MACROM_2 + __MANY_MSOFT_1 + __MANY_MSOFT_2 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 3) +meta SARE_OEM_PRODS_3 ((__MANY_ADOBE_1 + __MANY_ADOBE_2 + __MANY_MACROM_1 + __MANY_MACROM_2 + __MANY_MSOFT_1 + __MANY_MSOFT_2 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 4) + + + + + + + + +# MISC others +body __OEM_3DSTUDIO /3D Studio Max/i +body __OEM_AUTOCAD /AutoCAD \d{2,4}/i +body __OEM_CHIEF_ARCH /Chief Architect \d/ +body __OEM_COOLEDIT /Cool Edit Pro/i +body __OEM_COREL_1 /Corel ?Draw (?:\d{1,2}|Graphic)/i +body __OEM_COREL_2 /Corel ?Painter 8/i +body __OEM_DRAGON /Dragon Naturally Speaking/i +body __OEM_DVDXCOPY /DVDXCopy Platinum (?:\d|v)/i +body __OEM_EASYRECOVER /EasyRecovery/i +body __OEM_MATHEMATICA /Mathematica \d/i +body __OEM_NEROBURNING /Nero (?:Burning (?:Rom)?\s*\d|6 ultra)/i +body __OEM_POWERQU /PowerQuest Drive Image \d/i +body __OEM_QUARKXPRESS /QuarkXpress \d/i +body __OEM_QUICKBOOKS /QuickBooks Pro 200\d/i +body __OEM_SONIC_FOUND /Sonic Foundry DVD/i +body __OEM_ULEAD_1 /Ulead DVD Workshop/i +body __OEM_WINFAX /Winfax PRO \d\d/i +body __OEM_WORDPERF /WordPerfect (?:\d{2}|Office)/i + +meta __OEM_OTHERS_AM (__OEM_3DSTUDIO || __OEM_AUTOCAD || __OEM_CHIEF_ARCH || __OEM_COREL_1 || __OEM_COREL_2 || __OEM_DRAGON || __OEM_DVDXCOPY || __OEM_EASYRECOVER || __OEM_MATHEMATICA) +meta __OEM_OTHERS_NP (__OEM_NEROBURNING || __OEM_POWERQU) +meta __OEM_OTHERS_QZ (__OEM_QUARKXPRESS || __OEM_QUICKBOOKS || __OEM_SONIC_FOUND || __OEM_ULEAD_1 || __OEM_WINFAX || __OEM_WORDPERF) +meta __OEM_OTHERS_ALL (__OEM_OTHERS_AM || __OEM_OTHERS_NP || __OEM_OTHERS_QZ) + + + +# If we found some of the big players, look for some other guys, and add more points if found. +meta SARE_OEM_AND_OTHER (SARE_OEM_PRODS_1 && __OEM_OTHERS_ALL) + + +# A combined meta test to count overall number of products listed. +meta SARE_PRODUCTS_02 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 1) +meta SARE_PRODUCTS_03 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 2) +meta SARE_PRODUCTS_04 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 3) + + +score SARE_OEM_PRODS_FEW 0.879 +score SARE_OEM_PRODS_1 0.753 +score SARE_OEM_PRODS_2 0.897 +score SARE_OEM_PRODS_3 0.951 +score SARE_OEM_AND_OTHER 1.259 +score SARE_PRODUCTS_02 0.375 +score SARE_PRODUCTS_03 0.875 +score SARE_PRODUCTS_04 1.75 + + + +meta SARE_PRODS_LOTS ((SARE_PRODUCTS_02 + SARE_PRODUCTS_03 + SARE_PRODUCTS_04) > 2) +score SARE_PRODS_LOTS 1.9 + + +# Added for Fake years like 2OO3 note, that is not: 2003. +body SARE_OEM_FAKE_YEAR /\b2(?!00)[O0]{2}\d\b/ +score SARE_OEM_FAKE_YEAR 1.70 + + +body SARE_OEM_PRO_DOL /Professional .{0,3}\$\s?\d\d/i +score SARE_OEM_PRO_DOL 0.75 + +body SARE_OEM_WIN_DOL /Windows.{1,9}\$\s?\d\d/i +score SARE_OEM_WIN_DOL 0.75 + +body SARE_OEM_NEW_TITLES /NEW TITLES/ +score SARE_OEM_NEW_TITLES 0.75 + +body SARE_OEM_MONEY_ADOBE /\$\d\d\d?\s?Adobe/i +score SARE_OEM_MONEY_ADOBE 0.75 + +body SARE_OEM_MONEY_OFFIC /\$\d\d\d?\s?Office/i +score SARE_OEM_MONEY_OFFIC 0.75 + +body SARE_OEM_MONEY_MS /\$\d\d\d?\s?Microsoft/i +score SARE_OEM_MONEY_MS 0.75 + +body SARE_OEM_MONEY_WIN /\$\d\d\d?\s?Windows/i +score SARE_OEM_MONEY_WIN 0.75 + +uri SARE_OEM_UPPER_EYE /eyebrow-upper-left-corner/ +score SARE_OEM_UPPER_EYE 0.95 + +# .oem in URL +uri SARE_OEM_DOT_URI /\.oem/i +score SARE_OEM_DOT_URI 0.094 +#counts SARE_OEM_DOT_URI 0s/0h of 40645 corpus (35355s/5290h MY) 12/26/05 +#counts SARE_OEM_DOT_URI 5s/0h of 9789 corpus (4888s/4901h FT) 12/26/05 +#counts SARE_OEM_DOT_URI 71s/0h of 40795 corpus (31049s/9746h ML) 12/26/05 + + + +############################################################################## +# Common phrases in OEM spam +# +# Added by Jesse Houwing +# j.houwing@rulesemporium.com + +body __SARE_OEM_1A /(?:normal|r.?e.?t.?a.?i.?l)\s*(?:p.?r.?i.?c.?e)?:?\s*(?:\$\s*)?\d/i +body __SARE_OEM_1B /(?:our|my)(?:\s*(?:low|online))?\s*p.?r.?i.?c.?e:?\s*(?:\$\s*)?\d/i +body __SARE_OEM_1C /you\s*s.?a.?v.?e:?\s*(?:\$\s*)?\d/i + +body __SARE_OEM_2A /(?:normal|r.?e.?t.?a.?i.?l)\s*(?:p.?r.?i.?c.?e)/i +body __SARE_OEM_2B /(?:our|my)(?:\s*(?:l[o0]w|online))?\s*p.?r.?i.?c.?e/i +body __SARE_OEM_2C /you\s*s.?a.?v.?e/i + +body SARE_OEM_OEMCD /\boem.?cd/i +body SARE_OEM_REDPR /reduced our prices/i +body SARE_OEM_BRC /\(OEM\)/i +body SARE_OEM_SOFT_IS /\b(?:\bsoftware\b.{1,15}\b[OQ0]EM\b|\b[OQ0]EM\b.{1,15}\bsoftware\b)\b/i + +body SARE_OEM_OBFU /(?:(?!oem)\b[o0][e3]m\b|(?!soft ?wares?)\b[s5$].?[o0].?f.?t.?w.?[\@a].?r.?[e3].?[s5]?\b)/ +rawbody SARE_OEM_S_DOL m{(?:<s>[^\$]*?\$.*?</s>|<s>.*?\d+\.\d+.*?</s>|text-decoration:\sline-through[^\$]{0,40}?\$|text-decoration:\sline-through.{0,40}\d+\.\d+)}i +rawbody SARE_OEM_S_PRICE /\.\w*price\s*{/i + +meta SARE_OEM_A_1 __SARE_OEM_1A + __SARE_OEM_1B + __SARE_OEM_1C > 1 +meta SARE_OEM_A_2 __SARE_OEM_1A + __SARE_OEM_1B + __SARE_OEM_1C > 2 +meta SARE_OEM_B_3 __SARE_OEM_2A && __SARE_OEM_2B && __SARE_OEM_2C && !SARE_OEM_A_2 + +score SARE_OEM_OBFU 1.0 +score SARE_OEM_B_3 2.0 +score SARE_OEM_SOFT_IS 1.0 +score SARE_OEM_BRC 1.0 +score SARE_OEM_S_DOL 1.2 +score SARE_OEM_OEMCD 0.8 +score SARE_OEM_REDPR 0.8 +score SARE_OEM_A_1 2.0 +score SARE_OEM_A_2 1.5 +score SARE_OEM_S_PRICE 1.0 + +describe SARE_OEM_OBFU Obfuscated OEM terms +describe SARE_OEM_BRC OEM in braces +describe SARE_OEM_SOFT_IS Software that is OEM +describe SARE_OEM_S_DOL One strike, you're out +describe SARE_OEM_OEMCD Mentions a OEM cd +describe SARE_OEM_REDPR Mentions lower prices +describe SARE_OEM_A_1 Common OEM spam phrases +describe SARE_OEM_A_2 More common OEM spam phrases +describe SARE_OEM_B_3 More common OEM spam phrases +describe SARE_OEM_S_PRICE CSS style that ends with price + +############################################################################## + +# Bob Menschel's Contributions. + +body RM_bpoem_InstantDL /instant download/i +describe RM_bpoem_InstantDL Contains spammer phrasing - oem s/w +score RM_bpoem_InstantDL 1.820 +#hist RM_bpoem_InstantDL Created by Bob Menschel Sep 10 2004 +#counts RM_bpoem_InstantDL 82s/0h of 66096 corpus (40118s/25978h RM) 09/12/04 + +body RM_bpc_OpenNewSite /opened a NEW site/i +describe RM_bpc_OpenNewSite common spammer phrasing +score RM_bpc_OpenNewSite 1.210 +#hist RM_bpc_OpenNewSite Created by Bob Menschel Sep 10 2004 +#counts RM_bpc_OpenNewSite 21s/0h of 66096 corpus (40118s/25978h RM) 09/12/04 + +body RM_bpc_WorldBestSW /WORLD'?s? BEST software/i +describe RM_bpc_WorldBestSW common spammer phrasing +score RM_bpc_WorldBestSW 1.200 +#hist RM_bpc_WorldBestSW Created by Bob Menschel Sep 10 2004 +#counts RM_bpc_WorldBestSW 20s/0h of 66096 corpus (40118s/25978h RM) 09/12/04 + +# EOF diff --git a/common/sare/70_sare_specific.cf b/common/sare/70_sare_specific.cf new file mode 100644 index 0000000..b1dec3b --- /dev/null +++ b/common/sare/70_sare_specific.cf @@ -0,0 +1,1187 @@ +# SARE Specific Ruleset for SpamAssassin +# Version: 01.03.13 +# Created: 2004-05-28 +# Modified: 2006-05-27 +#@@# Revision History: +# 01.00.00 - Created new rule set +# 01.00.01 - Shortened some descriptions for version 3.0 lint +# 01.01.00 - Added rules for Word of Mouth / Shared Experiences spammer +# 01.01.01 - Removed rules duplicated elsewhere +# - Minor score tweaks based on recent mass-check +# 01.01.02 - Migrated some rules here from HTML rule set +# - Minor score tweaks based on recent mass-check +# 01.02.00 - Added a rule +# - Removed some obsolete rules (spam nolonger hitting) +# 01.02.01 - Improved WoM rules. +# Moved ANUMA rule to new uri.cf file +# 01.02.02 - Added SARE_SPEC_FROM_WOMR +# Added exclusion to SARE_SPEC_URI_WOMR +# 01.02.03 - Added __SARE_SPEC_BDY_WOMR8 +# 01.02.04 - Added SARE_STRIPE +# 01.02.05 - Archived SARE_SPEC_MOOSQ, SARE_HTML_PILL3, SARE_HTML_PILL4 +# 01.03.00 - Added Rolex rules +# 01.03.01 - Added SARE_SPEC_ROLEX_BRANDS and SARE_LOTTO rules +# 01.03.02 - Added SARE_SPEC_HDR_WOMR2 and SARE_SPEC_URI_WOMR2 +# 01.03.03: May 26 2005 +# Minor score updates based on additional mass-check +# Added "rawlex" intentional misspelling to rolex rules +# Added SARE_SPEC_URI_GGFF +# Added SARE_BODY_URI_STOCK +# 01.03.04: May 27 2005 +# No rule changes; simply correcting revision history. +# 01.03.05: May 27 2005 +# Added SARE_SPEC_BODY_NONEED +# 01.03.06: Sept 22 2005 +# Modified WOMR From, Header, and URI rules. +# Added file 0: SARE_SPEC_LEO_CHEM +# Added file 0: SARE_SPEC_LEO_COST +# Added file 0: SARE_SPEC_LEO_DOLLARS +# Added file 0: SARE_SPEC_LEO_DRUGS +# Added file 0: SARE_SPEC_LEO_LINE02 +# Added file 0: SARE_SPEC_LEO_LINE03 +# Added file 0: SARE_SPEC_LEO_LINE04 +# Added file 0: SARE_SPEC_LEO_LINE04d +# Added file 0: SARE_SPEC_LEO_LINE06 +# Added file 0: SARE_SPEC_LEO_MEDS +# Added file 0: SARE_SPEC_LEO_PHARM +# Added file 0: SARE_SPEC_LEO_PHARM2 +# Added file 0: SARE_SPEC_SPAMIS_FROM +# Added file 0: SARE_SPEC_SPAMIS_RECV +# 01.03.07: Oct 1 2005 +# Added: SARE_SPEC_SPAMIS_BDY1, _BDY2 +# 01.03.08: Oct 13 2005 +# Added SARE_SPEC_LRD_COST_M1 and SARE_SPEC_LRD_COST_M2 +# 01.03.09: Nov 18 2005 +# Minor score tweaks based on recent mass-check +# Added SARE_SPEC_CLIENT_TOS +# Added SARE_SPEC_CLIENT_TOS2 +# Added SARE_SPEC_DIPLOMA +# Added SARE_SPEC_GETITFREE +# Added SARE_SPEC_LEO_BORD +# Added SARE_SPEC_LEO_PIE2 +# Added SARE_SPEC_PLEASEDOTHIS +# Added SARE_SPEC_PROLEO_M1 +# Added SARE_SPEC_PROLEO_M1, M2, M2a +# Added SARE_SPEC_REALLY_WORKS, WORK2, WORK3, WORK4 +# Added SARE_SPEC_ROLEX_HIQLT +# Added SARE_SPEC_ROLEX_NOV5A +# Added SARE_SPEC_XXGEOCITIES +# Archive Aruba rules +# Archive SARE_SPEC_BANNEDCD +# Archive SARE_SPEC_DIRMEDIA +# Archive SARE_SPEC_FROM_BOB +# Archive SARE_SPEC_LEO_LINE06 +# Archive SARE_SPEC_URI_GGFF +# Archive WOMR rules +# 01.03.10: Nov 18 2005 +# Added SARE_SPEC_ROLEX_NOV5B +# 01.03.11: Nov 24 2005 +# Minor score tweaks based on recent mass-check +# Enhanced SARE_SPEC_XXGEOCITIES +# Modified SARE_SPEC_PROLEO_M1 subrules +# Added SARE_SPEC_ROLEX_NOV5C, NOV5D, NOV5E +# Added SARE_SPEC_REPL_OBFU1, OBFU2, OBFU3, OBFU4, OBFU5, OBFU6 +# Added SARE_SPEC_REPLICA +# Added SARE_SPEC_SHORTQ +# Added SARE_SPEC_SPAMARREST +# 01.03.12: Nov 25 2005 +# Improved SARE_SPEC_SPAMARREST to key only on spamarrest bounces +# Expanded watch spam tests +#@@# 01.03.13: May 27 2006 +#@@# Modified repetition counts for efficiency +#@@# Minor score tweaks based on recent mass-check +#@@# Added SARE_SPEC_XXGEOCITIE5 +#@@# Archived SARE_SPEC_CLIENT_TOS, SARE_SPEC_CLIENT_TOS2 +#@@# Archived SARE_SPEC_PLEASEDOTHIS +#@@# Archived SARE_SPEC_GETITFREE +#@@# Archived SARE_SPEC_GETITFREE2 +#@@# Archived SARE_SPEC_XXGEOCITIES +#@@# Archived SARE_STRIPE +#@@# Archived SARE_LOTTO_GREENCARD +#@@# Archived SARE_SPEC_SHORTQ +#@@# Archived SARE_SPEC_ROLEX_SUB2 +#@@# Archived SARE_SPEC_ROLEX_NOV5C + +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Bob Menschel - RMSA@Menschel.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_specific.cf +# +# This rule set is intended to catch the M.O. of specific spammers and/or +# specific spam that might otherwise elude more general-purpose rules. +# Our intent is that this rule set should not hit any non-spam. +# Because of the nature of the specific spams this rules file aims for, +# we cannot avoid ALL non-spam. However, any rule that hits ham hits +# spam/ham by at least 1000:1. +# +# Note that __subrules used within this rule set will frequently hit ham, +# but the meta tests or other tests with scores should NOT hit any ham. + +body __SARE_SPEC_SPAMARR_UR m'http://(?:www\.)?spamarrest\.com/\w' +header __SARE_SPEC_SPAMARR_SB Subject =~ /Spam Arrest Verification Confirmation/ +meta SARE_SPEC_SPAMARREST __SARE_SPEC_SPAMARR_UR && !__SARE_SPEC_SPAMARR_SB +describe SARE_SPEC_SPAMARREST probable invalid spam bounce +score SARE_SPEC_SPAMARREST 0.822 +#ham SARE_SPEC_SPAMARREST confirmed +#hist SARE_SPEC_SPAMARREST Bob Menschel, Nov 2005 +#note SARE_SPEC_SPAMARREST Since SpamArrest bounces contain only the headers of the original message, it's extremely +#note SARE_SPEC_SPAMARREST difficult to get a false positive on them. We use a high score, so that subject tests can flag emails as spam. +#note SARE_SPEC_SPAMARREST We do require at least a 1.666 score from other rule(s), to avoid false positives +#counts SARE_SPEC_SPAMARREST 45s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_SPAMARREST 403s/6h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_SPAMARREST 3s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +######## ###################### ################################################## +# Rolex Rules +######## ###################### ################################################## + +header __SARE_SPEC_ROLEX_SUBJ Subject =~ /\b(?:r(?:[0o@]|aw)[1l|][3e]x|[g6]ucc[1l|])/i +describe __SARE_SPEC_ROLEX_SUBJ Subject: mentions a Rolex/Gucci/etc. +body __SARE_SPEC_ROLEX_BODY /\b(?:r(?:[0o@]|aw)[1l|][3e]x|[g6]ucc[1l|])/i +describe __SARE_SPEC_ROLEX_BODY Body: mentions a Rolex/Gucci/etc. +header __SARE_SPEC_WATCH_SUBJ Subject =~ /\b(?:w[a@]tch|h[a@]ndb[a@][g6])/i +describe __SARE_SPEC_WATCH_SUBJ Subject: mentions watch/handbag/etc. +body __SARE_SPEC_WATCH_BODY /\b(?:w[a@]tch|h[a@]ndb[a@][g6])/i +describe __SARE_SPEC_WATCH_BODY Body: mentions watch/handbag/etc. + +meta SARE_SPEC_ROLEX ( ( __SARE_SPEC_WATCH_SUBJ && __SARE_SPEC_ROLEX_BODY ) || ( __SARE_SPEC_ROLEX_SUBJ && __SARE_SPEC_WATCH_BODY ) || ( __SARE_SPEC_ROLEX_SUBJ && __SARE_SPEC_ROLEX_BODY ) ) +describe SARE_SPEC_ROLEX Rolex watch spam +score SARE_SPEC_ROLEX 1.666 +#ham SARE_SPEC_ROLEX confirmed (2) +#hist SARE_SPEC_ROLEX Brent J. Nordquist -- b-nordquist at bethel.edu +#counts SARE_SPEC_ROLEX 890s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX 4335s/1h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_ROLEX 115s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX 15s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX 93s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX 151s/0h of 10801 corpus (6349s/4452h CT) 05/24/05 +#counts SARE_SPEC_ROLEX 611s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX 434s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_ROLEX 680s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX 556s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX 298s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX 76s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ROLEX 250s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +rawbody SARE_SPEC_WANT_ROLEX /^\s{0,30}(?:do\s{1,30})?(?:you\s{1,30})?(?:want|need)\s{1,30}(?:a\s{1,30})?(?:(?:cheap|non.?(?:expensive|pricey))s{1,30})?(R(?:[0o@]|aw)lex\s{1,30})?watch\s{0,30}\?/i +describe SARE_SPEC_WANT_ROLEX Body: asks if we want/need a Rolex +score SARE_SPEC_WANT_ROLEX 2.333 +#hist SARE_SPEC_WANT_ROLEX Brent J. Nordquist -- b-nordquist at bethel.edu +#counts SARE_SPEC_WANT_ROLEX 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_WANT_ROLEX 2038s/0h of 238467 corpus (112478s/125989h RM) 02/28/05 +#counts SARE_SPEC_WANT_ROLEX 1s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_WANT_ROLEX 4s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_WANT_ROLEX 51s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_WANT_ROLEX 39s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_WANT_ROLEX 169s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_WANT_ROLEX 0s/0h of 4358 corpus (754s/3604h ft) 05/24/05 +#counts SARE_SPEC_WANT_ROLEX 264s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_WANT_ROLEX 4s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_WANT_ROLEX 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 +#max SARE_SPEC_WANT_ROLEX 6s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 + +body __SARE_SPEC_ROLEX_REP1 /r(?:[0o@]|aw)lex.{1,30}replica/i +body __SARE_SPEC_ROLEX_REP2 /replica.{1,30}r(?:[0o@]|aw)lex/i +meta SARE_SPEC_ROLEX_REP (__SARE_SPEC_ROLEX_REP1 || __SARE_SPEC_ROLEX_REP2) +describe SARE_SPEC_ROLEX_REP Rolex Replica +score SARE_SPEC_ROLEX_REP 1.666 +#ham SARE_SPEC_ROLEX_REP Actual watch dealer / repair shop who occasionally fixes replicas +#hist SARE_SPEC_ROLEX_REP ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_REP 383s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_REP 6436s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_ROLEX_REP 191s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_REP 1s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_REP 83s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_REP 128s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_ROLEX_REP 714s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_REP 392s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_ROLEX_REP 537s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX_REP 255s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX_REP 310s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_REP 25s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ROLEX_REP 112s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +body SARE_SPEC_ROLEX_SEL /\bselection\b.{1,5}\bof\b.{1,30}\br(?:[0o@]|aw)lex/i +describe SARE_SPEC_ROLEX_SEL Large selection of Rolex +score SARE_SPEC_ROLEX_SEL 2.222 +#hist SARE_SPEC_ROLEX_SEL ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_SEL 56s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_SEL 1411s/0h of 174352 corpus (98963s/75389h RM) 02/18/05 +#counts SARE_SPEC_ROLEX_SEL 17s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_SEL 2s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_SEL 6s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_SEL 27s/0h of 10801 corpus (6349s/4452h CT) 05/24/05 +#counts SARE_SPEC_ROLEX_SEL 7s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_SEL 42s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_SEL 12s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_SEL 65s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX_SEL 23s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_SEL 0s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ROLEX_SEL 4s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +body SARE_SPEC_ROLEX_ORD /\border\b.{1,30}\br(?:[0o@]|aw)lex/i +describe SARE_SPEC_ROLEX_ORD Order rolex +score SARE_SPEC_ROLEX_ORD 2.222 +#hist SARE_SPEC_ROLEX_ORD ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_ORD 1s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_ORD 1166s/0h of 174352 corpus (98963s/75389h RM) 02/18/05 +#counts SARE_SPEC_ROLEX_ORD 1s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_ORD 0s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#max SARE_SPEC_ROLEX_ORD 5s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_ORD 7s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_ORD 51s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_ORD 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_ROLEX_ORD 1s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX_ORD 67s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 +#counts SARE_SPEC_ROLEX_ORD 2s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_ORD 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 +#max SARE_SPEC_ROLEX_ORD 7s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 + +body SARE_SPEC_ROLEX_ITAL /\bitalian\b.{1,30}\bcrafted\b.{1,30}\br(?:[0o@]|aw)lex/i +describe SARE_SPEC_ROLEX_ITAL Italian Crafted Rolex +score SARE_SPEC_ROLEX_ITAL 2.222 +#hist SARE_SPEC_ROLEX_ITAL ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_ITAL 56s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_ITAL 118s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_ROLEX_ITAL 17s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_ITAL 2s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_ITAL 2s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_ITAL 33s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_ITAL 12s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_ITAL 83s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_ITAL 12s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_ITAL 150s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX_ITAL 24s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_ITAL 1s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#max SARE_SPEC_ROLEX_ITAL 12s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 + +body SARE_SPEC_ROLEX_PRICE /r(?:[0o@]|aw)le.?x.{1,30}\bfrom\b.{1,30}\$\d{1,30}/i +describe SARE_SPEC_ROLEX_PRICE Rolex for only... +score SARE_SPEC_ROLEX_PRICE 1.666 +#hist SARE_SPEC_ROLEX_PRICE ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_PRICE 1s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_PRICE 638s/0h of 174352 corpus (98963s/75389h RM) 02/18/05 +#counts SARE_SPEC_ROLEX_PRICE 0s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_PRICE 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_SPEC_ROLEX_PRICE 2s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_PRICE 5s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_PRICE 42s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_PRICE 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_ROLEX_PRICE 9s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX_PRICE 72s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 +#counts SARE_SPEC_ROLEX_PRICE 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_ROLEX_PRICE 7s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_ROLEX_PRICE 1s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 +#max SARE_SPEC_ROLEX_PRICE 8s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 + +body SARE_SPEC_ROLEX_BUY /\bbuy\b.{1,30}\br(?:[0o@]|aw)lex/i +describe SARE_SPEC_ROLEX_BUY Buy rolex +score SARE_SPEC_ROLEX_BUY 1.666 +#ham SARE_SPEC_ROLEX_BUY confirmed (3) +#hist SARE_SPEC_ROLEX_BUY ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_BUY 191s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_BUY 5938s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_ROLEX_BUY 54s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_BUY 2s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_BUY 28s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_BUY 55s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_ROLEX_BUY 355s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_BUY 26s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_ROLEX_BUY 174s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX_BUY 130s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX_BUY 91s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_BUY 1s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ROLEX_BUY 23s/0h of 47717 corpus (43727s/3990h MY) 05/25/05 + +body __SARE_SPEC_GENU_REPL /\bgenuine\b.{1,30}\breplica/i +meta SARE_SPEC_ROLEX_GENREP ( __SARE_SPEC_GENU_REPL && SARE_SPEC_ROLEX ) +describe SARE_SPEC_ROLEX_GENREP Genuine Replica Rolex! +score SARE_SPEC_ROLEX_GENREP 1.666 +#hist SARE_SPEC_ROLEX_GENREP ninjaz -at- webexpress.com +#counts SARE_SPEC_ROLEX_GENREP 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_GENREP 243s/0h of 400503 corpus (178160s/222343h RM) 03/31/05 +#counts SARE_SPEC_ROLEX_GENREP 2s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_GENREP 2s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_GENREP 25s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_GENREP 3s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_GENREP 20s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_GENREP 24s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_GENREP 83s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_SPEC_ROLEX_GENREP 2s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_GENREP 0s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 +#max SARE_SPEC_ROLEX_GENREP 12s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 + +body SARE_SPEC_ROLEX_CHEAP /(?:cheap|non.?expensive){1,30}r(?:[0o@]|aw)le.?x/i +describe SARE_SPEC_ROLEX_CHEAP Cheap Rolex! +score SARE_SPEC_ROLEX_CHEAP 1.178 +#hist SARE_SPEC_ROLEX_CHEAP ninjaz -at- webexpress.com +#ham SARE_SPEC_ROLEX_CHEAP Spam statement quoted from NBC Universal CEO Bob Wright on electronic newsletter +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_CHEAP 81s/0h of 174380 corpus (98964s/75416h RM) 02/19/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_SPEC_ROLEX_CHEAP 5s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ROLEX_CHEAP 2s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 4358 corpus (754s/3604h ft) 05/24/05 +#counts SARE_SPEC_ROLEX_CHEAP 15s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_ROLEX_CHEAP 6s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_ROLEX_CHEAP 0s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#max SARE_SPEC_ROLEX_CHEAP 3s/0h of 47717 corpus (43727s/3990h MY) 05/25/05 + +body SARE_SPEC_REPLICA_OBFU /\b(?:rep[l|]i[ck]a|rep lica|watach|wacth)\b/i +describe SARE_SPEC_REPLICA_OBFU Rolex with obfuscated replica +score SARE_SPEC_REPLICA_OBFU 1.812 +#stype SARE_SPEC_REPLICA_OBFU obfu +#ham SARE_SPEC_REPLICA_OBFU Replika in non-English emails +#hist SARE_SPEC_REPLICA_OBFU Robert Brooks, Feb 18 2005; Fred Taresevicius, Nov 2005 +#counts SARE_SPEC_REPLICA_OBFU 821s/4h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPLICA_OBFU 1s/0h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#counts SARE_SPEC_REPLICA_OBFU 0s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_REPLICA_OBFU 31s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_REPLICA_OBFU 58s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REPLICA_OBFU 61s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_REPLICA_OBFU 4s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 +#counts SARE_SPEC_REPLICA_OBFU 143s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_REPLICA_OBFU 12s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +header SARE_SPEC_ROLEX_AFFRD Subject =~ /\bafford\b.{1,30}\br(?:[0o@]|aw)lex\b/i +describe SARE_SPEC_ROLEX_AFFRD Can you afford a rolex? +score SARE_SPEC_ROLEX_AFFRD 0.867 +#hist SARE_SPEC_ROLEX_AFFRD Robert Brooks, Feb 18 2005 +#counts SARE_SPEC_ROLEX_AFFRD 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_AFFRD 47s/0h of 400503 corpus (178160s/222343h RM) 03/31/05 +#counts SARE_SPEC_ROLEX_AFFRD 0s/0h of 682 corpus (290s/392h CRF) 02/20/05 +#counts SARE_SPEC_ROLEX_AFFRD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#max SARE_SPEC_ROLEX_AFFRD 1s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_AFFRD 1s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_AFFRD 3s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_ROLEX_AFFRD 4s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ROLEX_AFFRD 3s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 +#counts SARE_SPEC_ROLEX_AFFRD 0s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 + +header SARE_SPEC_ROLEX_BRANDS Subject =~ /(\b(cartier|piaget|omega|longines|vuitton|r(?:[0o@]|aw)lex)\b.{0,30}){3,}/i +describe SARE_SPEC_ROLEX_BRANDS Spammer subject - multiple brands +score SARE_SPEC_ROLEX_BRANDS 1.111 +#stype SARE_SPEC_ROLEX_BRANDS spamp +#hist SARE_SPEC_ROLEX_BRANDS Robert Brooks, Feb 21 2005 +#counts SARE_SPEC_ROLEX_BRANDS 25s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_BRANDS 48s/0h of 400503 corpus (178160s/222343h RM) 03/31/05 +#counts SARE_SPEC_ROLEX_BRANDS 1s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_BRANDS 0s/0h of 11002 corpus (6572s/4430h CT) 03/10/05 +#counts SARE_SPEC_ROLEX_BRANDS 1s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ROLEX_BRANDS 26s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_BRANDS 20s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_BRANDS 0s/0h of 27712 corpus (24263s/3449h MY) 02/27/05 +#counts SARE_SPEC_ROLEX_BRANDS 0s/0h of 54131 corpus (16957s/37174h JH-3.01) 03/02/05 + +header SARE_SPEC_ROLEX_BRAND2 Subject =~ /(?:yearn for|want) (?:cartier|piaget|omega|longines|vuitton|r(?:[0o@]|aw)lex)/i +describe SARE_SPEC_ROLEX_BRAND2 Spammer subject - multiple brands +score SARE_SPEC_ROLEX_BRAND2 1.111 +#stype SARE_SPEC_ROLEX_BRAND2 spamp +#hist SARE_SPEC_ROLEX_BRAND2 Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_BRAND2 8s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_ROLEX_BRAND2 4s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_BRAND2 2s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_BRAND2 2s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_ROLEX_BRAND2 3s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 + +body SARE_SPEC_ROLEX_HIQLT m'high(?:est)?[- ]qualit(?:y|ies) (:?rep[|l]i[ck]a|reproduction|dup[l|]i[ck]ate|look)'i +describe SARE_SPEC_ROLEX_HIQLT replica watch spam sign +score SARE_SPEC_ROLEX_HIQLT 1.666 +#ham SARE_SPEC_ROLEX_HIQLT confirmation pending +#hist SARE_SPEC_ROLEX_HIQLT Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_HIQLT 366s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_HIQLT 1051s/0h of 386238 corpus (131050s/255188h RM) 11/17/05 +#counts SARE_SPEC_ROLEX_HIQLT 63s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_HIQLT 37s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ROLEX_HIQLT 53s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_ROLEX_HIQLT 325s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_HIQLT 13s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_HIQLT 16s/1h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_ROLEX_HIQLT 79s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +body SARE_SPEC_ROLEX_NOV5A /(?!want, watch)(?!(?:see|want)(?:[,s]|ed|ing)? (?:> )?(?:(?:me|you|him|her|them|us|--) )?(?:> )?(?:and|it|to|the|your) (?:> )?(?:clock|watch))(?:too many|see your|present of|replicas?|reproductions?|imitations?|duplicates?|look.?alike|decent|producing|acquire|(?:want|do not blow).{1,10}|solid(?:ly.?built)|wear.{1,10}new.{1,10}|(?:retail|consignment|Fair buys|fashionable|(?:gift|treat) for you|swiss.?(?:made|style)|be (?:trendy|visible) with).{1,25}) \b(?:(wrist(?:wear)? ?)?(?:watch(es)?|clocks?)|chrono(?:meter|piece|keeper)s?|time.?(?:piece|keeper)s?)\b/i +describe SARE_SPEC_ROLEX_NOV5A replica watch spam sign +score SARE_SPEC_ROLEX_NOV5A 1.062 +#hist SARE_SPEC_ROLEX_NOV5A Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_NOV5A 142s/1h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_NOV5A 392s/7h of 386802 corpus (130807s/255995h RM) 11/13/05 +#counts SARE_SPEC_ROLEX_NOV5A 200s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5A 45s/4h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5A 138s/3h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_ROLEX_NOV5A 288s/4h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5A 305s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5A 67s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ROLEX_NOV5A 71s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +body SARE_SPEC_ROLEX_NOV5B /(?:appearance|brand.?name) at (?:a )?(?:dis[ck]ount|reasonable|sensible|(?:quarter|fra[ck]tion).{1,15}(?:[ck]ost|price|fee))|noteworthy variety|[ck]oveted provider|deluxe masterpiece|(?:more than|over) \d{4}.{1,15}(?:brands|styles)|Shopper gratifi[ck]ation|[ck]hronomaster|(?:sele[ck]tion of|solid(?:ly.?build|superb)) (?:repli[ck]as?|reprodu[ck]tions?|dupli[ck]ates?|look.?alikes?)|noteworthy [ck]onsignments?|(?:repli[ck]as?|reprodu[ck]tions?|dupli[ck]ates?|look.?alikes?) trade|fusion of craftmanship and affordability/i +describe SARE_SPEC_ROLEX_NOV5B replica watch spam sign +score SARE_SPEC_ROLEX_NOV5B 1.111 +#stype SARE_SPEC_ROLEX_NOV5B spamp +#hist SARE_SPEC_ROLEX_NOV5B Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_NOV5B 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_NOV5B 16s/0h of 330817 corpus (115576s/215241h RM) 11/19/05 +#counts SARE_SPEC_ROLEX_NOV5B 5s/0h of 4891 corpus (3546s/1345h AxB) 11/20/05 +#counts SARE_SPEC_ROLEX_NOV5B 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5B 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5B 1s/0h of 74875 corpus (25026s/49849h DOC) 11/19/05 +#counts SARE_SPEC_ROLEX_NOV5B 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_ROLEX_NOV5B 2s/0h of 9802 corpus (4922s/4880h FT) 11/20/05 +#counts SARE_SPEC_ROLEX_NOV5B 12s/0h of 42567 corpus (37305s/5262h MY) 11/19/05 +#counts SARE_SPEC_ROLEX_NOV5B 1s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +body SARE_SPEC_ROLEX_NOV5D /online.{1,20}purchase.{1,20}watch|purchase.{1,20}watch.{1,20}online|purchase.{1,20}online.{1,20}watch|watch.{1,10}purchase.{1,20}online|Online trailing system/i +describe SARE_SPEC_ROLEX_NOV5D replica watch spam sign +score SARE_SPEC_ROLEX_NOV5D 1.111 +#stype SARE_SPEC_ROLEX_NOV5D spamp +#hist SARE_SPEC_ROLEX_NOV5D Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_NOV5D 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_NOV5D 4s/0h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_ROLEX_NOV5D 1s/0h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5D 2s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +body SARE_SPEC_ROLEX_NOV5E /(?!watch(?:ed|ing)?.{1,15}for you)\b(?:(wrist(?:wear)? ?)?(?:watch(es)?|clocks?)|chrono(?:meter|piece|keeper)s?|time.?(?:piece|keeper)s?).{1,15}for you\b/i +describe SARE_SPEC_ROLEX_NOV5E replica watch spam sign +score SARE_SPEC_ROLEX_NOV5E 0.500 +#hist SARE_SPEC_ROLEX_NOV5E Bob Menschel, Nov 2005 +#stype SARE_SPEC_ROLEX_NOV5E spamp +#counts SARE_SPEC_ROLEX_NOV5E 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_NOV5E 6s/3h of 366109 corpus (108323s/257786h RM) 11/25/05 +#counts SARE_SPEC_ROLEX_NOV5E 1s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5E 1s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +body SARE_SPEC_ROLEX_NOV5F /(?:decadent|brand.?name).{1,15}\b(?:(wrist(?:wear)? ?)?(?:watch(es)?|clocks?)|chrono(?:meter|piece|keeper)s?|time.?(?:piece|keeper)s?)\b/i +describe SARE_SPEC_ROLEX_NOV5F replica watch spam sign +score SARE_SPEC_ROLEX_NOV5F 0.666 +#stype SARE_SPEC_ROLEX_NOV5F spamp +#ham SARE_SPEC_ROLEX_NOV5F valid watch/clock importer/wholesaler +#hist SARE_SPEC_ROLEX_NOV5F Bob Menschel, Nov 2005 +#counts SARE_SPEC_ROLEX_NOV5F 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ROLEX_NOV5F 11s/2h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_ROLEX_NOV5F 8s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_ROLEX_NOV5F 2s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +body SARE_SPEC_REPL_OBFU1 /(?!watches)(?!watch \* ?s)(?:w|\\\/\\\/|VV|[\xC5][\xB4-\xB5]|[\xCF][\x88-\x89]|[\xCF]\x8E])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|[\xC4][\x80-\x85]|[\xC7][\x8D-\x8E]|[\xC7][\xBA-\xBB]|[\xCE][\x86]|[\xCE][\x91]|[\xCE][\x94]|[\xCE][\x9B]|[\xCE][\xAC]|[\xCE][\xB1]|[\xD0][\x90]|[\xD0]\xB0)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1]\x81)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:h|[\xC4][\xA4-\xA7]|[\xCE][\x89]|[\xCE][\x97]|[\xD0][\x9D]|[\xD0][\xBD]|[\xD1][\x92]|[\xD2][\xA2-\xA3]|[\xD2][\xBA-\xBB]|[\xD5]\xB0])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|[\xC5][\x9A-\xA1]|[\xD0][\x85]|[\xD1][\x95]|[\xD5]\x8F)\b/i +body SARE_SPEC_REPL_OBFU2 /(?!wrist.?watch)(?:w|\\\/\\\/|VV|[\xC5][\xB4-\xB5]|[\xCF][\x88-\x89]|[\xCF]\x8E])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|[\xC5][\x94-\x99]|[\xD1]\x93)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|[\xC4][\xA8-\xB0]|[\xC4][\xBA]|[\xC4][\xBC]|[\xC4][\xBE]|[\xC5][\x80]|[\xC5][\x82]|[\xC7][\x8F-\x90]|[\xD0][\x86-\x87]|[\xD1][\x96-\x97]|[\xCE][\x8A]|[\xCE][\x90]|[\xCE][\x99]|[\xCE][\xAA]|[\xCE][\xAF]|[\xCE][\xB9]|[\xCF]\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|[\xC5][\x9A-\xA1]|[\xD0][\x85]|[\xD1][\x95]|[\xD5]\x8F)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:w|\\\/\\\/|VV|[\xC5][\xB4-\xB5]|[\xCF][\x88-\x89]|[\xCF]\x8E])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|[\xC4][\x80-\x85]|[\xC7][\x8D-\x8E]|[\xC7][\xBA-\xBB]|[\xCE][\x86]|[\xCE][\x91]|[\xCE][\x94]|[\xCE][\x9B]|[\xCE][\xAC]|[\xCE][\xB1]|[\xD0][\x90]|[\xD0]\xB0)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1]\x81)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:h|[\xC4][\xA4-\xA7]|[\xCE][\x89]|[\xCE][\x97]|[\xD0][\x9D]|[\xD0][\xBD]|[\xD1][\x92]|[\xD2][\xA2-\xA3]|[\xD2][\xBA-\xBB]|[\xD5]\xB0])/i +body SARE_SPEC_REPL_OBFU3 /(?:w|\\\/\\\/|VV|[\xC5][\xB4-\xB5]|[\xCF][\x88-\x89]|[\xCF\x8E])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|[\xC5][\x94-\x99]|[\xD1\x93])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|[\xC4][\xA8-\xB0]|[\xC4][\xBA]|[\xC4][\xBC]|[\xC4][\xBE]|[\xC5][\x80]|[\xC5][\x82]|[\xC7][\x8F-\x90]|[\xD0][\x86-\x87]|[\xD1][\x96-\x97]|[\xCE][\x8A]|[\xCE][\x90]|[\xCE][\x99]|[\xCE][\xAA]|[\xCE][\xAF]|[\xCE][\xB9]|[\xCF\x8A])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|[\xC5][\x9A-\xA1]|[\xD0][\x85]|[\xD1][\x95]|[\xD5]\x8F)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1]\x81)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|[\xC4][\xB9-\xBF]))[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|[\xC5][\x8C-\x91]|[\xC6][\xA0-\xA1]|[\xC7][\x91-\x92]|[\xC7][\xBE-\xBF]|[\xCE][\x8C]|[\xCE][\x98]|[\xCE][\x9F]|[\xCE][\xB8]|[\xCE][\xBF]|[\xCF][\x8C]|[\xD0][\x9E]|[\xD0][\xBE]|[\xD5]\x95)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1\x81])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:k|[\xC4][\xB6-\xB8]|[\xCE][\x9A]|[\xCE][\xBA]|[\xD0][\x8C]|[\xD0][\x9A]|[\xD0][\xBA]|[\xD1][\x9C]|[\xD2][\x9A-\x9D]])/i +body SARE_SPEC_REPL_OBFU4 /(?!chronometer)(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1]\x81)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:h|[\xC4][\xA4-\xA7]|[\xCE][\x89]|[\xCE][\x97]|[\xD0][\x9D]|[\xD0][\xBD]|[\xD1][\x92]|[\xD2][\xA2-\xA3]|[\xD2][\xBA-\xBB]|[\xD5]\xB0])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|[\xC5][\x94-\x99]|[\xD1]\x93)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|[\xC5][\x8C-\x91]|[\xC6][\xA0-\xA1]|[\xC7][\x91-\x92]|[\xC7][\xBE-\xBF]|[\xCE][\x8C]|[\xCE][\x98]|[\xCE][\x9F]|[\xCE][\xB8]|[\xCE][\xBF]|[\xCF][\x8C]|[\xD0][\x9E]|[\xD0][\xBE]|[\xD5]\x95)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||[\xC5][\x83-\x8B]|[\xCE][\x9D]|[\xCE][\xA0]|[\xCE][\xAE]|[\xCE][\xB7]|[\xD5][\xB2]|[\xD5]\xB8)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|[\xC5][\x8C-\x91]|[\xC6][\xA0-\xA1]|[\xC7][\x91-\x92]|[\xC7][\xBE-\xBF]|[\xCE][\x8C]|[\xCE][\x98]|[\xCE][\x9F]|[\xCE][\xB8]|[\xCE][\xBF]|[\xCF][\x8C]|[\xD0][\x9E]|[\xD0][\xBE]|[\xD5]\x95)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:m|rn|\/V\\|\/\\\/\\|[\xCE][\x9C]|[\xD0][\x9C]|[\xD0]\xBC])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1\x91])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|[\xC5][\x94-\x99]|[\xD1\x93])/i +body SARE_SPEC_REPL_OBFU5 /(?!time.?piece)(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|[\xC4][\xA8-\xB0]|[\xC4][\xBA]|[\xC4][\xBC]|[\xC4][\xBE]|[\xC5][\x80]|[\xC5][\x82]|[\xC7][\x8F-\x90]|[\xD0][\x86-\x87]|[\xD1][\x96-\x97]|[\xCE][\x8A]|[\xCE][\x90]|[\xCE][\x99]|[\xCE][\xAA]|[\xCE][\xAF]|[\xCE][\xB9]|[\xCF]\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:m|rn|\/V\\|\/\\\/\\|[\xCE][\x9C]|[\xD0][\x9C]|[\xD0]\xBC])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[p\xDE]|[\xCE][\xA1]|[\xCF][\x81]|[\xD0][\xA0]|[\xD1]\x80)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|[\xC4][\xA8-\xB0]|[\xC4][\xBA]|[\xC4][\xBC]|[\xC4][\xBE]|[\xC5][\x80]|[\xC5][\x82]|[\xC7][\x8F-\x90]|[\xD0][\x86-\x87]|[\xD1][\x96-\x97]|[\xCE][\x8A]|[\xCE][\x90]|[\xCE][\x99]|[\xCE][\xAA]|[\xCE][\xAF]|[\xCE][\xB9]|[\xCF]\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|[\xC4][\x86-\x8D]|[\xD0][\xA1]|[\xD1]\x81)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)/i +body SARE_SPEC_REPL_OBFU6 /(?!time.?keeper)(?:[t\+]|[\xC5][\xA2-\xA7]|[\xCE][\xA4]|[\xCF][\x84]|[\xD0][\xA2]|[\xD1]\x82)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|[\xC4][\xA8-\xB0]|[\xC4][\xBA]|[\xC4][\xBC]|[\xC4][\xBE]|[\xC5][\x80]|[\xC5][\x82]|[\xC7][\x8F-\x90]|[\xD0][\x86-\x87]|[\xD1][\x96-\x97]|[\xCE][\x8A]|[\xCE][\x90]|[\xCE][\x99]|[\xCE][\xAA]|[\xCE][\xAF]|[\xCE][\xB9]|[\xCF]\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:m|rn|\/V\\|\/\\\/\\|[\xCE][\x9C]|[\xD0][\x9C]|[\xD0]\xBC])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:k|[\xC4][\xB6-\xB8]|[\xCE][\x9A]|[\xCE][\xBA]|[\xD0][\x8C]|[\xD0][\x9A]|[\xD0][\xBA]|[\xD1][\x9C]|[\xD2][\x9A-\x9D]])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[p\xDE]|[\xCE][\xA1]|[\xCF][\x81]|[\xD0][\xA0]|[\xD1]\x80)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|[\xC4][\x92-\x9B]|[\xCE][\x88]|[\xCE][\x95]|[\xCE][\xA3]|[\xCE][\xAD]|[\xCE][\xB5]|[\xD0][\x81]|[\xD0][\x95]|[\xD0][\xB5]|[\xD1]\x91)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[r\xAE]|[\xC5][\x94-\x99]|[\xD1]\x93)/i +score SARE_SPEC_REPL_OBFU1 1.666 +score SARE_SPEC_REPL_OBFU2 1.666 +score SARE_SPEC_REPL_OBFU3 1.666 +score SARE_SPEC_REPL_OBFU4 1.666 +score SARE_SPEC_REPL_OBFU5 1.666 +score SARE_SPEC_REPL_OBFU6 1.666 +#stype SARE_SPEC_REPL_OBFU1 obfu +#stype SARE_SPEC_REPL_OBFU2 obfu +#stype SARE_SPEC_REPL_OBFU3 obfu +#stype SARE_SPEC_REPL_OBFU4 obfu +#stype SARE_SPEC_REPL_OBFU5 obfu +#stype SARE_SPEC_REPL_OBFU6 obfu +#hist SARE_SPEC_REPL_OBFU1 Bob Menschel, Nov 2005 +#hist SARE_SPEC_REPL_OBFU2 Bob Menschel, Nov 2005 +#hist SARE_SPEC_REPL_OBFU3 Bob Menschel, Nov 2005 +#hist SARE_SPEC_REPL_OBFU4 Bob Menschel, Nov 2005 +#hist SARE_SPEC_REPL_OBFU5 Bob Menschel, Nov 2005 +#hist SARE_SPEC_REPL_OBFU6 Bob Menschel, Nov 2005 +#counts SARE_SPEC_REPL_OBFU1 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPL_OBFU1 8s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_REPL_OBFU1 1s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_REPL_OBFU1 10s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REPL_OBFU1 37s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_REPL_OBFU1 7s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_REPL_OBFU1 2s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_REPL_OBFU2 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPL_OBFU2 1s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REPL_OBFU3 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPL_OBFU3 4s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_REPL_OBFU3 1s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REPL_OBFU4 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPL_OBFU5 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_REPL_OBFU5 6s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_REPL_OBFU6 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_REPL_OBFU1 8s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#max SARE_SPEC_REPL_OBFU2 6s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#max SARE_SPEC_REPL_OBFU3 22s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#max SARE_SPEC_REPL_OBFU4 1s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#max SARE_SPEC_REPL_OBFU5 0s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#max SARE_SPEC_REPL_OBFU6 0s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 + +######## ###################### ################################################## +# Lottery spam +######## ###################### ################################################## + +body __SARE_LOTTO_LOTTERY /\blott(?:o|ery)/i +body __SARE_LOTTO_BATCH /batch number/i +body __SARE_LOTTO_SERIAL /serial number/i +body __SARE_LOTTO_TICKET /ticket number/i +body __SARE_LOTTO_LUCKY /lucky number/i +body __SARE_LOTTO_CATEGORY /categor(?:y|ies)/i +body __SARE_LOTTO_CONGRAT /congratulation/i + +meta SARE_LOTTO_SPAM __SARE_LOTTO_LOTTERY && __SARE_LOTTO_SERIAL && __SARE_LOTTO_TICKET && __SARE_LOTTO_CATEGORY && __SARE_LOTTO_CONGRAT +describe SARE_LOTTO_SPAM Lottery Spam +score SARE_LOTTO_SPAM 2.444 +#hist SARE_LOTTO_SPAM Robert Brooks, Feb 18 2005 +#stype SARE_LOTTO_SPAM spamg +#counts SARE_LOTTO_SPAM 111s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_LOTTO_SPAM 3270s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_LOTTO_SPAM 60s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_LOTTO_SPAM 3s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_LOTTO_SPAM 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_LOTTO_SPAM 200s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_LOTTO_SPAM 120s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_LOTTO_SPAM 160s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_LOTTO_SPAM 44s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_LOTTO_SPAM 134s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_LOTTO_SPAM 6s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_LOTTO_SPAM 24s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 + +meta SARE_LOTTO_SPAM2 __SARE_LOTTO_LOTTERY && __SARE_LOTTO_BATCH +describe SARE_LOTTO_SPAM2 Lottery Spam +score SARE_LOTTO_SPAM2 2.444 +#hist SARE_LOTTO_SPAM2 Robert Brooks, Feb 18 2005 +#stype SARE_LOTTO_SPAM2 spamg +#counts SARE_LOTTO_SPAM2 178s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_LOTTO_SPAM2 3607s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_LOTTO_SPAM2 114s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_LOTTO_SPAM2 25s/0h of 682 corpus (290s/392h CRF) 03/11/05 +#counts SARE_LOTTO_SPAM2 3s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_LOTTO_SPAM2 238s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_LOTTO_SPAM2 145s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_LOTTO_SPAM2 180s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_LOTTO_SPAM2 54s/0h of 54874 corpus (17700s/37174h JH-3.01) 03/13/05 +#counts SARE_LOTTO_SPAM2 166s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_LOTTO_SPAM2 4s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_LOTTO_SPAM2 27s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 + +######## ###################### ################################################## +# Spammers who identify themselves or their specific product in message body +######## ###################### ################################################## + +body SARE_BODY_URI_STOCK /st[0o]ck\s{0,30}\d{1,30}\s{0,30}\@\s{0,30}yahoo.com/i +describe SARE_BODY_URI_STOCK Signature of stock market spammer +score SARE_BODY_URI_STOCK 1.666 +#hist SARE_BODY_URI_STOCK Bob Menschel, Apr 17 2005, from a variety of suggestions +#counts SARE_BODY_URI_STOCK 0s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#max SARE_BODY_URI_STOCK 400s/0h of 281295 corpus (109907s/171388h RM) 05/06/05 +#counts SARE_BODY_URI_STOCK 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_BODY_URI_STOCK 4s/0h of 10801 corpus (6349s/4452h CT) 05/24/05 +#counts SARE_BODY_URI_STOCK 172s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_BODY_URI_STOCK 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_BODY_URI_STOCK 26s/0h of 4358 corpus (754s/3604h ft) 05/24/05 +#counts SARE_BODY_URI_STOCK 0s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#max SARE_BODY_URI_STOCK 2s/0h of 47717 corpus (43727s/3990h MY) 05/25/05 + +body SARE_SPEC_BODY_NONEED /\b(?:noneed|st0ck)\d{2,4}/ +describe SARE_SPEC_BODY_NONEED No need to spam us! +score SARE_SPEC_BODY_NONEED 1.666 +#hist SARE_SPEC_BODY_NONEED Robert Brooks, May 27 2005 +#counts SARE_SPEC_BODY_NONEED 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_BODY_NONEED 313s/0h of 256964 corpus (112869s/144095h RM) 05/27/05 +#counts SARE_SPEC_BODY_NONEED 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_BODY_NONEED 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_SPEC_BODY_NONEED 222s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_BODY_NONEED 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_BODY_NONEED 34s/0h of 4359 corpus (759s/3600h ft) 05/27/05 +#counts SARE_SPEC_BODY_NONEED 0s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_BODY_NONEED 4s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +header SARE_SPEC_DIPLOMA Subject =~ m'\bd.?iplomas?\b'i +describe SARE_SPEC_DIPLOMA educational spam subject +score SARE_SPEC_DIPLOMA 1.094 +#hist SARE_SPEC_DIPLOMA Bob Menschel, Nov 2005 +#counts SARE_SPEC_DIPLOMA 117s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_DIPLOMA 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_DIPLOMA 1s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_DIPLOMA 10s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_DIPLOMA 46s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_DIPLOMA 8s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_DIPLOMA 196s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_DIPLOMA 4s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_DIPLOMA 6s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +body SARE_SPEC_ANTIDOTE /(?:"The Antidote"|Health Monthly Newsletter|Kills all Known|full-guarantee)/i +describe SARE_SPEC_ANTIDOTE Antidote spammer +score SARE_SPEC_ANTIDOTE 1.666 +#hist SARE_SPEC_ANTIDOTE Loren Wilton, May 29 2005 +#ham SARE_SPEC_ANTIDOTE mentions book with title "The Antidote" avail from amazon.com +#counts SARE_SPEC_ANTIDOTE 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_ANTIDOTE 329s/0h of 273328 corpus (132835s/140493h RM) 05/30/05 +#counts SARE_SPEC_ANTIDOTE 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_ANTIDOTE 26s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_SPEC_ANTIDOTE 3s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_ANTIDOTE 10s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_ANTIDOTE 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_ANTIDOTE 82s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_ANTIDOTE 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_ANTIDOTE 1s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_ANTIDOTE 0s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_ANTIDOTE 227s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +header SARE_SPEC_SPAMIS_FROM From =~ /\bspamis\b/i +describe SARE_SPEC_SPAMIS_FROM Possibly from or via spammer system +score SARE_SPEC_SPAMIS_FROM 1.666 +#stype SARE_SPEC_SPAMIS_FROM spamg +#hist SARE_SPEC_SPAMIS_FROM Bob Menschel, Aug 07 2005 +#counts SARE_SPEC_SPAMIS_FROM 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_SPAMIS_FROM 79s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_SPAMIS_FROM 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_SPAMIS_FROM 15s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_SPAMIS_FROM 0s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_SPAMIS_FROM 1s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +header SARE_SPEC_SPAMIS_RECV Received =~ /\bspamis\b/i +describe SARE_SPEC_SPAMIS_RECV Possibly from or via spammer system +score SARE_SPEC_SPAMIS_RECV 1.666 +#stype SARE_SPEC_SPAMIS_RECV spamg +#hist SARE_SPEC_SPAMIS_RECV Bob Menschel, Aug 07 2005 +#counts SARE_SPEC_SPAMIS_RECV 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_SPAMIS_RECV 80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_SPAMIS_RECV 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_SPAMIS_RECV 15s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_SPAMIS_RECV 0s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_SPAMIS_RECV 1s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 + +body SARE_SPEC_SPAMIS_BDY1 /\b(?:spamis|s p a m i s)\b/i +describe SARE_SPEC_SPAMIS_BDY1 Possibly from or via spammer system +score SARE_SPEC_SPAMIS_BDY1 1.666 +#stype SARE_SPEC_SPAMIS_BDY1 spamg +#hist SARE_SPEC_SPAMIS_BDY1 Bob Menschel, Sep 26 2005 +#counts SARE_SPEC_SPAMIS_BDY1 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_SPAMIS_BDY1 93s/0h of 646449 corpus (258764s/387685h RM) 09/30/05 +#counts SARE_SPEC_SPAMIS_BDY1 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_SPAMIS_BDY1 5s/0h of 3327 corpus (2029s/1298h AXB) 10/02/05 +#counts SARE_SPEC_SPAMIS_BDY1 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_SPAMIS_BDY1 21s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_SPAMIS_BDY1 3s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_SPAMIS_BDY1 4s/0h of 54753 corpus (49767s/4986h MY) 10/01/05 +#counts SARE_SPEC_SPAMIS_BDY1 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_SPAMIS_BDY1 13s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 + +body SARE_SPEC_SPAMIS_BDY2 /P\s?O\s?B\s?o\s?x\s?1\s?2\s?5\s?9\s?,\s?S\s?e\s?a\s?t\s?t\s?l\s?e\s?,\s?W\s?A\s?9\s?8\s?1\s?0\s?1/i +describe SARE_SPEC_SPAMIS_BDY2 Possibly from or via spammer system +score SARE_SPEC_SPAMIS_BDY2 1.666 +#stype SARE_SPEC_SPAMIS_BDY2 spamg +#hist SARE_SPEC_SPAMIS_BDY2 Bob Menschel, Sep 26 2005 +#counts SARE_SPEC_SPAMIS_BDY2 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_SPAMIS_BDY2 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_SPAMIS_BDY2 5s/0h of 3327 corpus (2029s/1298h AXB) 10/02/05 +#counts SARE_SPEC_SPAMIS_BDY2 15s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_SPAMIS_BDY2 27s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_SPAMIS_BDY2 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_SPAMIS_BDY2 10s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_SPAMIS_BDY2 5s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#counts SARE_SPEC_SPAMIS_BDY2 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_SPAMIS_BDY2 203s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_SPAMIS_BDY2 6s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 + +body SARE_SPEC_LEO_DOLLARS /(?:\$[13]\s){3}/ +score SARE_SPEC_LEO_DOLLARS 2.444 +describe SARE_SPEC_LEO_DOLLARS Leo table drug spam +#hist SARE_SPEC_LEO_DOLLARS Loren Wilton, Sept 07, 2005 +#counts SARE_SPEC_LEO_DOLLARS 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_DOLLARS 3095s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_DOLLARS 3s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_DOLLARS 12s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_DOLLARS 24s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_DOLLARS 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_DOLLARS 59s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_DOLLARS 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_DOLLARS 122s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_DOLLARS 11s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 + +body SARE_SPEC_LEO_DOLLARSa /(?:\$\s?[123]\s){3}/ +score SARE_SPEC_LEO_DOLLARSa 1.666 +describe SARE_SPEC_LEO_DOLLARSa Leo table drug spam +#ham SARE_SPEC_LEO_DOLLARSa source code, list of $n parameters +#hist SARE_SPEC_LEO_DOLLARSa Loren Wilton, Sept 07, 2005, mod Oct 8 2005 +#counts SARE_SPEC_LEO_DOLLARSa 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_DOLLARSa 3095s/1h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_DOLLARSa 3s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_DOLLARSa 12s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_DOLLARSa 25s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_DOLLARSa 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_DOLLARSa 59s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_DOLLARSa 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_DOLLARSa 122s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_DOLLARSa 11s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 + +body SARE_SPEC_LEO_COST /(?:\s\$[13]){3}\s(?:(?:21|75|33)[\.\s]){3}/ +score SARE_SPEC_LEO_COST 2.222 +describe SARE_SPEC_LEO_COST Table drug cost +#hist SARE_SPEC_LEO_COST Loren Wilton, Sept 07, 2005 +#counts SARE_SPEC_LEO_COST 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_COST 1595s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_COST 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_COST 7s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_COST 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_COST 8s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_COST 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 +#counts SARE_SPEC_LEO_COST 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_COST 48s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_COST 5s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 + +body SARE_SPEC_LEO_COSTa /(?:\s\$\s?[123]){3}\s(?:\d\d[\.\s]){3}/ +score SARE_SPEC_LEO_COSTa 2.222 +describe SARE_SPEC_LEO_COSTa Table drug cost +#hist SARE_SPEC_LEO_COSTa Loren Wilton, Sept 07, 2005, mod Oct 8 2005 +#counts SARE_SPEC_LEO_COSTa 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_COSTa 1612s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_COSTa 1s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_COSTa 8s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_COSTa 0s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 +#counts SARE_SPEC_LEO_COSTa 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_COSTa 8s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_COSTa 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_COSTa 54s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_COSTa 5s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 + +body __SARE_SPEC_LRD_COST1 /3\.75/ +body __SARE_SPEC_LRD_COST2 /1\.21/ +body __SARE_SPEC_LRD_COST3 /3\.33/ +meta SARE_SPEC_LRD_COST_M1 __SARE_SPEC_LRD_COST1 && __SARE_SPEC_LRD_COST2 && __SARE_SPEC_LRD_COST3 +describe SARE_SPEC_LRD_COST_M1 LEO drug pricing variations +score SARE_SPEC_LRD_COST_M1 0.698 +#ham SARE_SPEC_LRD_COST_M1 firewall logs emailed +#hist SARE_SPEC_LRD_COST_M1 Raymond Dijkxhoorn, Oct 2005 +#counts SARE_SPEC_LRD_COST_M1 0s/2h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LRD_COST_M1 4374s/32h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LRD_COST_M1 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_LRD_COST_M1 3s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LRD_COST_M1 17s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LRD_COST_M1 101s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LRD_COST_M1 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LRD_COST_M1 589s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LRD_COST_M1 55s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_LRD_COST_M1 5s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LRD_COST_M1 189s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +body __SARE_SPEC_PROLEO1 /85(\,|\.)45|1(\,|\.)(20|21|22|56)/ +body __SARE_SPEC_PROLEO2 /69(\,|\.)95|2(\,|\.)78|3(\,|\.)(32|33|70)/ +body __SARE_SPEC_PROLEO3 /99(\,|\.)95|3(\,|\.)(00|35|75)/ +uri __SARE_SPEC_PROLEO4 /http:\/\/.{0,30}\.tripod\.com/ +body __SARE_SPEC_PROLEO5 /http:\/\/www\.\b/ +meta SARE_SPEC_PROLEO_M1 (__SARE_SPEC_PROLEO1 && __SARE_SPEC_PROLEO2 && __SARE_SPEC_PROLEO3 && __SARE_SPEC_PROLEO4) +describe SARE_SPEC_PROLEO_M1 Leo drug spam signs +score SARE_SPEC_PROLEO_M1 4.000 +#stype SARE_SPEC_PROLEO_M1 spamg +#hist SARE_SPEC_PROLEO_M1 Raymond Dijkxhoorn, Nov 2005 +#counts SARE_SPEC_PROLEO_M1 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_PROLEO_M1 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_PROLEO_M1 248s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_PROLEO_M1 18s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_PROLEO_M1 6s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_PROLEO_M1 27s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_PROLEO_M1 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_PROLEO_M1 84s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_PROLEO_M1 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_PROLEO_M1 316s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +meta SARE_SPEC_PROLEO_M2 (__SARE_SPEC_PROLEO1 && __SARE_SPEC_PROLEO2 && __SARE_SPEC_PROLEO3 && __SARE_SPEC_PROLEO5 && !SARE_SPEC_PROLEO_M2a) +describe SARE_SPEC_PROLEO_M2 Leo drug spam signs +score SARE_SPEC_PROLEO_M2 0.692 +#hist SARE_SPEC_PROLEO_M2 Raymond Dijkxhoorn, Nov 2005 +#counts SARE_SPEC_PROLEO_M2 1s/5h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_PROLEO_M2 108s/20h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_PROLEO_M2 42s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_PROLEO_M2 0s/3h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_PROLEO_M2 4s/0h of 4178 corpus (2833s/1345h AxB) 11/12/05 +#counts SARE_SPEC_PROLEO_M2 27s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_PROLEO_M2 142s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_PROLEO_M2 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_PROLEO_M2 1s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_PROLEO_M2 9s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_PROLEO_M2 10s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +meta SARE_SPEC_PROLEO_M2a (__SARE_SPEC_PROLEO1 && __SARE_SPEC_PROLEO2 && __SARE_SPEC_PROLEO3 && __SARE_SPEC_PROLEO5 && MIME_QP_LONG_LINE) +describe SARE_SPEC_PROLEO_M2a Leo drug spam signs +score SARE_SPEC_PROLEO_M2a 3.333 +#stype SARE_SPEC_PROLEO_M2a spamg +rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line') +#hist SARE_SPEC_PROLEO_M2a Raymond Dijkxhoorn, Nov 2005 +#counts SARE_SPEC_PROLEO_M2a 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_PROLEO_M2a 255s/0h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_PROLEO_M2a 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_PROLEO_M2a 4s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_PROLEO_M2a 5s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_PROLEO_M2a 7s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_PROLEO_M2a 25s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_PROLEO_M2a 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_PROLEO_M2a 13s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_PROLEO_M2a 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_PROLEO_M2a 134s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_PROLEO_M2a 0s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +body __SARE_SPEC_LRD_COST4 /134/ +body __SARE_SPEC_LRD_COST5 /169/ +body __SARE_SPEC_LRD_COST6 /218/ +header __SARE_SPEC_LRD_COST7 Subject =~ /ceutical/i +meta SARE_SPEC_LRD_COST_M2 __SARE_SPEC_LRD_COST4 && __SARE_SPEC_LRD_COST5 && __SARE_SPEC_LRD_COST6 && __SARE_SPEC_LRD_COST7 +describe SARE_SPEC_LRD_COST_M2 LEO drug pricing variations +score SARE_SPEC_LRD_COST_M2 1.111 +#stype SARE_SPEC_LRD_COST_M2 spamp +#hist SARE_SPEC_LRD_COST_M2 Raymond Dijkxhoorn, Oct 2005 +#counts SARE_SPEC_LRD_COST_M2 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LRD_COST_M2 36s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#counts SARE_SPEC_LRD_COST_M2 1s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LRD_COST_M2 0s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 +#counts SARE_SPEC_LRD_COST_M2 0s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LRD_COST_M2 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LRD_COST_M2 17s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LRD_COST_M2 4s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 + +body __SARE_SPEC_LEO_DRGS /^(?:Am|Me|Pr|Le|Xa|Ci|Ce|Vi|Ul|Va){3,}\s(?:bi|ri|op|vi|na|al|le|ag|tr|li){3,}\s(?:en|dia|ecia|tra|x|is|brex|ra|am|um){3,}\s/ # no /i +body __SARE_SPEC_LEO_DRGS5a /\b(?:(?:Am|AM|Me|ME|Pr|PR|Le|LE|Xa|XA|Ci|CI|Ce|CE|Vi|VI|Ul|UL|Va|VA)(?:$|\s{1,30})){10}/ +body __SARE_SPEC_LEO_DRGS5b /\b(?:(?:bi|ri|op|vi|na|al|le|ag|tr|li)(?:$|\s{1,30})){10}/i +body __SARE_SPEC_LEO_DRGS5c /\b(?:(?:am|di|dia|br|brex|ra|en|x|um|ec|ecia|is|tr|tra)(?:$|\s{1,30})){10}/i +body __SARE_SPEC_LEO_DRGS6a /\b(?:(?:M|L|A|P|C|V|V|X|U|C)(?:$|\s{1,30})){10}/ +body __SARE_SPEC_LEO_DRGS6b /\b(?:(?:e|e|m|r|I|I|A|a|l|e)(?:$|\s{1,30})){10}/i +body __SARE_SPEC_LEO_DRGS6c /\b(?:(?:r|v|b|o|A|A|L|n|t|l)(?:$|\s{1,30})){10}/i +body __SARE_SPEC_LEO_DRGS6d /\b(?:(?:d|t|e|e|I|R|U|x|a|b)(?:$|\s{1,30})){10}/i + +meta SARE_SPEC_LEO_DRUGS __SARE_SPEC_LEO_DRGS || (__SARE_SPEC_LEO_DRGS5a && __SARE_SPEC_LEO_DRGS5b && __SARE_SPEC_LEO_DRGS5c) || (__SARE_SPEC_LEO_DRGS6a && __SARE_SPEC_LEO_DRGS6b && __SARE_SPEC_LEO_DRGS6c && __SARE_SPEC_LEO_DRGS6d) +score SARE_SPEC_LEO_DRUGS 2.888 +describe SARE_SPEC_LEO_DRUGS Vertical table drug spam +#hist SARE_SPEC_LEO_DRUGS Loren Wilton, Sept 07, 2005 +#counts SARE_SPEC_LEO_DRUGS 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_DRUGS 6734s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_DRUGS 230s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#counts SARE_SPEC_LEO_DRUGS 0s/1h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_DRUGS 27s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_DRUGS 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_DRUGS 48s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_DRUGS 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_DRUGS 238s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_DRUGS 21s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 + +body SARE_SPEC_LEO_MEDS /(?!medications?)\b(?:m|rn|\/V\\|\/\\\/\\]).?(?:[e3\*\xC8-\xCB\xE8-\xEB]).?(?:[d\xD0]).?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]).?(?:[c\*\xC7\xE7\xA2\xA9]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\).?(?:[t\+]).?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]).?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]).?(?:[n\xD1\xF1]|\|\\\|).?(?:[s5\$\xA7])?/i +describe SARE_SPEC_LEO_MEDS obfuscated subject body +score SARE_SPEC_LEO_MEDS 1.666 +#hist SARE_SPEC_LEO_MEDS Bob Menschel, Sept 11, 2005 +#ham SARE_SPEC_LEO_MEDS misspelling +#counts SARE_SPEC_LEO_MEDS 263s/1h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_MEDS 6780s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_LEO_MEDS 34s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_LEO_MEDS 12s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_MEDS 40s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_SPEC_LEO_MEDS 191s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#max SARE_SPEC_LEO_MEDS 240s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_LEO_MEDS 46s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_MEDS 722s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_MEDS 67s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_LEO_MEDS 452s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 +#counts SARE_SPEC_LEO_MEDS 307s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_MEDS 355s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +body SARE_SPEC_LEO_PHARM /(?!pharmac(?:y|ies))\b(?:[p\xDE]).?h.?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\).?(?:[r\xAE]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\)?(?:m|rn|\/V\\|\/\\\/\\]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\)?(?:[c\*\xC7\xE7\xA2\xA9])(?:(?:[y\xA5\xDD\xFD])|(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]).?(?:[e3\*\xC8-\xCB\xE8-\xEB]).?(?:[s5\$\xA7]))/i +describe SARE_SPEC_LEO_PHARM obfuscated subject body +score SARE_SPEC_LEO_PHARM 1.666 +#hist SARE_SPEC_LEO_PHARM Bob Menschel, Sept 11, 2005 +#ham SARE_SPEC_LEO_PHARM misspelling (2) +#counts SARE_SPEC_LEO_PHARM 413s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_PHARM 3205s/3h of 679260 corpus (323056s/356204h RM) 09/13/05 +#counts SARE_SPEC_LEO_PHARM 87s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_LEO_PHARM 167s/2h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LEO_PHARM 1000s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_PHARM 45s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_PHARM 692s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_PHARM 105s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_LEO_PHARM 462s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 +#counts SARE_SPEC_LEO_PHARM 1996s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +body SARE_SPEC_LEO_PHARM2 /(?!Pharmaceuticals?)\b(?:[p\xDE]).?h.?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\).?(?:[r\xAE]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\)?(?:m|rn|\/V\\|\/\\\/\\]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\).?(?:[c\*\xC7\xE7\xA2\xA9]).?(?:[e3\*\xC8-\xCB\xE8-\xEB]).?(?:[uv\*\xB5\xD9-\xDC\xF9-\xFC]).?(?:[t\+]).?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]).?(?:[c\*\xC7\xE7\xA2\xA9]).?(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\).?(?:[l1I\|\xA3]).?(?:[s5\$\xA7])?/i +describe SARE_SPEC_LEO_PHARM2 obfuscated subject body +score SARE_SPEC_LEO_PHARM2 1.666 +#hist SARE_SPEC_LEO_PHARM2 Bob Menschel, Sept 11, 2005 +#ham SARE_SPEC_LEO_PHARM2 Intentional strange spacing +#counts SARE_SPEC_LEO_PHARM2 30s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_PHARM2 5774s/2h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_PHARM2 23s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LEO_PHARM2 188s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_PHARM2 27s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_PHARM2 467s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_PHARM2 134s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_LEO_PHARM2 167s/0h of 53432 corpus (48386s/5046h MY) 10/08/05 +#counts SARE_SPEC_LEO_PHARM2 9s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_PHARM2 137s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +body SARE_SPEC_LEO_CHEM /(?!chemist)\b(?:[c\*\xC7\xE7\xA2\xA9]).?h.?(?:[e3\*\xC8-\xCB\xE8-\xEB]).?(?:m|rn|\/V\\|\/\\\/\\]).?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]).?(?:[s5\$\xA7]).?(?:[t\+])/i +describe SARE_SPEC_LEO_CHEM obfuscated subject body +score SARE_SPEC_LEO_CHEM 0.992 +#hist SARE_SPEC_LEO_CHEM Bob Menschel, Sept 11, 2005 +#counts SARE_SPEC_LEO_CHEM 1s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_CHEM 50s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 +#counts SARE_SPEC_LEO_CHEM 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_LEO_CHEM 1s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LEO_CHEM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 +#counts SARE_SPEC_LEO_CHEM 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_CHEM 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 +#counts SARE_SPEC_LEO_CHEM 3s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_LEO_CHEM 152s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#counts SARE_SPEC_LEO_CHEM 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_CHEM 2s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +body SARE_SPEC_LEO_LINE02 m'(?:[A-Z][a-z]{1,2}){5}\w{1,30}\s[a-z]{10}' +describe SARE_SPEC_LEO_LINE02 common Leo body text +score SARE_SPEC_LEO_LINE02 2.666 +#hist SARE_SPEC_LEO_LINE02 Bob Menschel, Sept 11, 2005 +#counts SARE_SPEC_LEO_LINE02 3s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE02 5058s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_LINE02 1s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_LINE02 20s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_LINE02 27s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE02 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_LINE02 72s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE02 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE02 205s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +rawbody SARE_SPEC_LEO_LINE03a m'<DIV[^>]{0,40}style=[^>]{0,40}FLOAT: left;'i +describe SARE_SPEC_LEO_LINE03a common Leo body text +score SARE_SPEC_LEO_LINE03a 0.408 +#hist SARE_SPEC_LEO_LINE03a Bob Menschel, Sept 11, 2005, modified Oct 8 2005 +#counts SARE_SPEC_LEO_LINE03a 3s/19h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE03a 11045s/41h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_LINE03a 43s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_LEO_LINE03a 26s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_LINE03a 36s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_LINE03a 153s/42h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE03a 0s/1h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_LINE03a 860s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE03a 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE03a 368s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_LEO_LINE03a 260s/4h of 23026 corpus (17290s/5736h MY) 05/14/06 + +rawbody SARE_SPEC_LEO_LINE03b m'<DIV[^>]{0,40}style=[^>]{0,40}(?:BORDER|MARGIN|PADDING)-(?:BOTTOM|LEFT|RIGHT|TOP)-WIDTH: 0px;'i +describe SARE_SPEC_LEO_LINE03b common Leo body text +score SARE_SPEC_LEO_LINE03b 2.222 +#hist SARE_SPEC_LEO_LINE03b Bob Menschel, Oct 8 2005 +#counts SARE_SPEC_LEO_LINE03b 81s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE03b 380s/0h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_LEO_LINE03b 8s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_LEO_LINE03b 38s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LEO_LINE03b 303s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE03b 46s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_LEO_LINE03b 7s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_LEO_LINE03b 134s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +rawbody SARE_SPEC_LEO_LINE03e m'<TABLE[^>]{0,40}style=[^>]{0,40}(?:BORDER|MARGIN|PADDING)-(?:BOTTOM|LEFT|RIGHT|TOP)-WIDTH: 0px;'i +describe SARE_SPEC_LEO_LINE03e common Leo body text +score SARE_SPEC_LEO_LINE03e 0.635 +#ham SARE_SPEC_LEO_LINE03e confirmed (3) +#hist SARE_SPEC_LEO_LINE03e Bob Menschel, Oct 8 2005 +#counts SARE_SPEC_LEO_LINE03e 2s/1h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE03e 759s/5h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_LEO_LINE03e 1s/1h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#max SARE_SPEC_LEO_LINE03e 25s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LEO_LINE03e 4s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_LINE03e 5s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_LINE03e 33s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE03e 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_LINE03e 55s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE03e 17s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#counts SARE_SPEC_LEO_LINE03e 0s/1h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE03e 162s/1h of 19215 corpus (15849s/3366h ML) 11/18/05 + +rawbody SARE_SPEC_LEO_LINE03f m'<TABLE[^>]{0,40}style=[^>]{0,40}(?:BORDER|MARGIN|PADDING)-(?:BOTTOM|LEFT|RIGHT|TOP): 0px;'i +describe SARE_SPEC_LEO_LINE03f common Leo body text +score SARE_SPEC_LEO_LINE03f 0.612 +#hist SARE_SPEC_LEO_LINE03f Bob Menschel, Oct 8 2005 +#counts SARE_SPEC_LEO_LINE03f 0s/1h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE03f 2134s/22h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_LEO_LINE03f 0s/3h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_LEO_LINE03f 47s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LEO_LINE03f 11s/2h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_LINE03f 15s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_LINE03f 68s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE03f 0s/4h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_LINE03f 144s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE03f 43s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_LEO_LINE03f 0s/1h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE03f 436s/1h of 19215 corpus (15849s/3366h ML) 11/18/05 + +rawbody SARE_SPEC_LEO_LINE04 m'(?:(?:<BR>+)+(?:<B>)?[a-z]{1,3}(?:<\B>)?){5}'i +describe SARE_SPEC_LEO_LINE04 common Leo body text +score SARE_SPEC_LEO_LINE04 1.666 +#hist SARE_SPEC_LEO_LINE04 Bob Menschel, Sept 11, 2005 +#ham SARE_SPEC_LEO_LINE04 S P O I L E R spelled vertically to give people a chance to not scroll down to the spoiler. +#counts SARE_SPEC_LEO_LINE04 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE04 8643s/2h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_LINE04 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_LEO_LINE04 50s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LEO_LINE04 42s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LEO_LINE04 179s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE04 185s/1h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_LINE04 815s/1h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE04 198s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_LEO_LINE04 16s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE04 398s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +rawbody SARE_SPEC_LEO_LINE04d m'(?:(?:<BR>+)(?:<B>)?[a-z]{1,3}(?:<\B>)?){9}'i +describe SARE_SPEC_LEO_LINE04d common Leo body text +score SARE_SPEC_LEO_LINE04d 1.666 +#ham SARE_SPEC_LEO_LINE04d confirmed +#hist SARE_SPEC_LEO_LINE04d Bob Menschel, Sept 11, 2005 +#counts SARE_SPEC_LEO_LINE04d 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_LINE04d 3605s/0h of 494544 corpus (223913s/270631h RM) 10/08/05 +#counts SARE_SPEC_LEO_LINE04d 1s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_LEO_LINE04d 19s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_LINE04d 26s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_LINE04d 0s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#max SARE_SPEC_LEO_LINE04d 39s/0h of 139999 corpus (133260s/6739h ft) 10/09/05 +#counts SARE_SPEC_LEO_LINE04d 134s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 +#counts SARE_SPEC_LEO_LINE04d 16s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_LINE04d 206s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +full SARE_SPEC_LEO_PIE2 />(?:[a-z]\s){3,7}[a-z]<.{4,50}>(?:[a-z]\s){3,7}[a-z]<.{4,50}>(?:[a-z]\s){3,5}[a-z]/is +describe SARE_SPEC_LEO_PIE2 pseudo-table-format spam +score SARE_SPEC_LEO_PIE2 4.000 +#stype SARE_SPEC_LEO_PIE2 spamg +#hist SARE_SPEC_LEO_PIE2 Fred Tarasevicius, Nov 2005 +#counts SARE_SPEC_LEO_PIE2 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_PIE2 1462s/0h of 366109 corpus (108323s/257786h RM) 11/25/05 +#counts SARE_SPEC_LEO_PIE2 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_LEO_PIE2 304s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_LEO_PIE2 8s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_LEO_PIE2 36s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_PIE2 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_PIE2 102s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_LEO_PIE2 12s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_LEO_PIE2 1s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_LEO_PIE2 425s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 + +header __SARE_SPEC_SUBJ_LEO Subject =~ /^(?:Re:\s?)?(?:\w{4,20}\s){2,4}\s?$/ +rawbody __SARE_SPEC_BORDER_W0 /BORDER-(?:RIGHT|TOP)-WIDTH: 0/ +meta SARE_SPEC_LEO_BORD (__SARE_SPEC_SUBJ_LEO && __SARE_SPEC_BORDER_W0) +score SARE_SPEC_LEO_BORD 0.639 +#stype SARE_SPEC_LEO_BORD spamg +#hist SARE_SPEC_LEO_BORD Fred Tarasevicius, Nov 2005 +#counts SARE_SPEC_LEO_BORD 6s/1h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_LEO_BORD 410s/6h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_LEO_BORD 0s/1h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#counts SARE_SPEC_LEO_BORD 1s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_LEO_BORD 19s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_LEO_BORD 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_LEO_BORD 16s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_LEO_BORD 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_LEO_BORD 4s/0h of 8121 corpus (6866s/1255h ML) 11/04/05 +#counts SARE_SPEC_LEO_BORD 19s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +header SARE_SPEC_REALLY_WORKS Subject =~ m'really works (?:wonder|excellent|good|amazing|great|fine|very)'i +describe SARE_SPEC_REALLY_WORKS spamsign for specific drug spammer +score SARE_SPEC_REALLY_WORKS 1.666 +#hist SARE_SPEC_REALLY_WORKS Bob Menschel, Nov 2005 +#counts SARE_SPEC_REALLY_WORKS 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_REALLY_WORKS 478s/0h of 386238 corpus (131050s/255188h RM) 11/17/05 +#counts SARE_SPEC_REALLY_WORKS 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_REALLY_WORKS 6s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_REALLY_WORKS 1s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_REALLY_WORKS 2s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_REALLY_WORKS 6s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REALLY_WORKS 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_REALLY_WORKS 10s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_REALLY_WORKS 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_REALLY_WORKS 48s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_REALLY_WORKS 17s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_REALLY_WORKS 24s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +header SARE_SPEC_REALLY_WORK2 Subject =~ m'works wonders?$'i +describe SARE_SPEC_REALLY_WORK2 spamsign for specific drug spammer +score SARE_SPEC_REALLY_WORK2 0.617 +#hist SARE_SPEC_REALLY_WORK2 Bob Menschel, Nov 2005 +#counts SARE_SPEC_REALLY_WORK2 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_REALLY_WORK2 118s/1h of 386238 corpus (131050s/255188h RM) 11/17/05 +#counts SARE_SPEC_REALLY_WORK2 0s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_REALLY_WORK2 5s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_REALLY_WORK2 0s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#max SARE_SPEC_REALLY_WORK2 1s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_REALLY_WORK2 1s/0h of 90468 corpus (40568s/49900h DOC) 11/18/05 +#counts SARE_SPEC_REALLY_WORK2 0s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#max SARE_SPEC_REALLY_WORK2 6s/0h of 9823 corpus (4931s/4892h FT) 11/18/05 +#counts SARE_SPEC_REALLY_WORK2 0s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_REALLY_WORK2 13s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_REALLY_WORK2 5s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_REALLY_WORK2 13s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +header SARE_SPEC_REALLY_WORK3 Subject =~ m'really works\!$'i +describe SARE_SPEC_REALLY_WORK3 spamsign for specific drug spammer +score SARE_SPEC_REALLY_WORK3 1.017 +#hist SARE_SPEC_REALLY_WORK3 Bob Menschel, Nov 2005 +#counts SARE_SPEC_REALLY_WORK3 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_REALLY_WORK3 54s/0h of 386238 corpus (131050s/255188h RM) 11/17/05 +#counts SARE_SPEC_REALLY_WORK3 0s/0h of 11588 corpus (6361s/5227h CT) 11/18/05 +#counts SARE_SPEC_REALLY_WORK3 23s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REALLY_WORK3 6s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +header SARE_SPEC_REALLY_WORK4 Subject =~ m'(?:\b(?:you|u) (?:could|might|do|maybe)? ?need it|(?:useful|interesting) information|don\'t (?:miss (?:the|a good) chance|miss it)|good proposal|just (?:do|think about) it|very good news|to let you know|(?:upi|u) can (?:do|ride) it|just have a look|(?:new|good) offr)\W{0,30}$'i +describe SARE_SPEC_REALLY_WORK4 spamsign for specific drug spammer +score SARE_SPEC_REALLY_WORK4 0.665 +#hist SARE_SPEC_REALLY_WORK4 Bob Menschel, Nov 2005 +#counts SARE_SPEC_REALLY_WORK4 14s/10h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_REALLY_WORK4 2566s/11h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_REALLY_WORK4 12s/0h of 36686 corpus (32345s/4341h AxB2) 05/14/06 +#max SARE_SPEC_REALLY_WORK4 130s/0h of 4676 corpus (3324s/1352h AxB) 11/18/05 +#counts SARE_SPEC_REALLY_WORK4 11s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_REALLY_WORK4 101s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_REALLY_WORK4 34s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_REALLY_WORK4 29s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#max SARE_SPEC_REALLY_WORK4 254s/0h of 19215 corpus (15849s/3366h ML) 11/18/05 +#counts SARE_SPEC_REALLY_WORK4 16s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#max SARE_SPEC_REALLY_WORK4 31s/0h of 42678 corpus (37399s/5279h MY) 11/18/05 + +######## ###################### ################################################## +# Spammers identified by their web site or "service" +######## ###################### ################################################## + +uri __SARE_SPEC_XXGEOCITIE m'\b(?:(?!www)[a-z]{2,3})\.(?:geocities|tripod)\.com/\w{1,30}/\?'i +uri __SARE_SPEC_XX2GEOCIT /\b[a-z]{2}\.geocities\.com/i + +meta SARE_SPEC_XXGEOCITIES2 !__SARE_SPEC_XXGEOCITIE && __SARE_SPEC_XX2GEOCIT +describe SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site +score SARE_SPEC_XXGEOCITIES2 1.666 +#hist SARE_SPEC_XXGEOCITIES2 Fred Tarasevicius, Nov 2005 +#counts SARE_SPEC_XXGEOCITIES2 497s/18h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_XXGEOCITIES2 1237s/2h of 369947 corpus (112058s/257889h RM) 11/24/05 +#counts SARE_SPEC_XXGEOCITIES2 66s/2h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES2 238s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES2 698s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES2 1251s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_XXGEOCITIES2 2881s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES2 62s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +meta SARE_SPEC_XXGEOCITIES3 __SARE_SPEC_XXGEOCITIE && __SARE_SPEC_XX2GEOCIT +describe SARE_SPEC_XXGEOCITIES3 spamsign pointing to free webhost spam site +score SARE_SPEC_XXGEOCITIES3 1.666 +#hist SARE_SPEC_XXGEOCITIES3 Fred Tarasevicius, Nov 2005 +#ham SARE_SPEC_XXGEOCITIES3 confirmed (1) +#counts SARE_SPEC_XXGEOCITIES3 0s/0h of 173230 corpus (99061s/74169h RM) 05/11/06 +#max SARE_SPEC_XXGEOCITIES3 499s/0h of 366082 corpus (108301s/257781h RM) 11/25/05 +#counts SARE_SPEC_XXGEOCITIES3 8s/0h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES3 27s/0h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES3 23s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES3 168s/0h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_XXGEOCITIES3 75s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 +#counts SARE_SPEC_XXGEOCITIES3 916s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 + +uri __SARE_SPEC_XXGEOCIT5 m'\bgeocities\.yahoo\.com\b'i +meta SARE_SPEC_XXGEOCITIE5 __SARE_SPEC_XXGEOCIT5 +describe SARE_SPEC_XXGEOCITIE5 spamsign pointing to free webhost spam site +score SARE_SPEC_XXGEOCITIE5 0.667 +#hist SARE_SPEC_XXGEOCITIE5 Bob Menschel, Dec 2005 +#counts SARE_SPEC_XXGEOCITIE5 31s/12h of 173230 corpus (99061s/74169h RM) 05/11/06 +#counts SARE_SPEC_XXGEOCITIE5 6s/0h of 9999 corpus (5651s/4348h AxB) 05/14/06 +#counts SARE_SPEC_XXGEOCITIE5 11s/1h of 13339 corpus (7462s/5877h CT) 05/14/06 +#counts SARE_SPEC_XXGEOCITIE5 14s/0h of 155610 corpus (103978s/51632h DOC) 05/14/06 +#counts SARE_SPEC_XXGEOCITIE5 16s/1h of 42419 corpus (34292s/8127h FVGT) 05/15/06 +#counts SARE_SPEC_XXGEOCITIE5 5s/0h of 23026 corpus (17290s/5736h MY) 05/14/06 +#counts SARE_SPEC_XXGEOCITIE5 197s/0h of 106098 corpus (72789s/33309h ML) 05/14/06 + +######## ###################### ################################################## +# Other specific spammers +######## ###################### ################################################## + +# EOF + + diff --git a/common/sare/70_sare_spoof.cf b/common/sare/70_sare_spoof.cf new file mode 100644 index 0000000..177e148 --- /dev/null +++ b/common/sare/70_sare_spoof.cf @@ -0,0 +1,460 @@ +# SARE Spoof Ruleset for SpamAssassin +# Version: 1.09.21 +# Created: 2004-03-01 +# Modified: 2007-01-15 +# Changes: Various Updates +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Fred Tarasevicius - tech2@i-is.com +# Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf +# Comments: To counter whitelists, some rules have extra meta rules to score 100 to override whitelist_from's. + +# META RULES USED BY MULTIPLE RULES: +uri __URI_IS_IP /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\// + + +# The following NICE rules can be enabled if you choose, it works for me, adjust scores as needed. +meta SARE_LEGIT_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL) +describe SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri +score SARE_LEGIT_PAYPAL -0.01 + + +#meta SARE_LEGIT_EBAY (__FROM_EBAY && __URI_EBAY && __RCVD_EBAY) +#describe SARE_LEGIT_EBAY Has signs it's from ebay, from, headers, uri +#score SARE_LEGIT_EBAY -0.01 + + +# Simple test recommended by jdow from SA-users list. +header __EBAY_FRM_NAME From:name =~ /\bebay\b/i +header __EBAY_ADDRESS From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i +meta SARE_EBAY_SPOOF_NAME (__EBAY_FRM_NAME && !__EBAY_ADDRESS) +score SARE_EBAY_SPOOF_NAME 0.94 +# NEEDS MORE TESTING + + + + + +header __SARE_NAME_VISA From:name =~ /visa/i +header __SARE_ADDR_VISA From:addr =~ /visa/i +meta SARE_FORGE_NAME_VISA (__SARE_NAME_VISA && !__SARE_ADDR_VISA) +score SARE_FORGE_NAME_VISA 0.399 +#counts FM_NAME_VISA_FORGE 1s/0h of 12260 corpus (6588s/5672h CT) 03/17/06 +#counts FM_NAME_VISA_FORGE 18s/0h of 22976 corpus (17263s/5713h MY) 03/17/06 +#counts FM_NAME_VISA_FORGE 3s/0h of 103688 corpus (96287s/7401h FVGT) 03/17/06 +#counts FM_NAME_VISA_FORGE 43s/0h of 108996 corpus (71372s/37624h DOC) 03/17/06 + + + + + + + + +uri __SPOOF_FLAGS /flagstar\.com/i +header __FROM_FLAGSTAR From =~ /\bflagstar\.com/i +header __RCVD_FLAGSTAR Received =~ /\bflagstar\.com/i +meta SARE_SPOOF_FLAGSTAR (__SPOOF_FLAGS && __FROM_FLAGSTAR && !__RCVD_FLAGSTAR) +score SARE_SPOOF_FLAGSTAR 3.667 +#counts SARE_SPOOF_FLAGSTAR 1s/0h of 42564 corpus (34322s/8242h FVGT) 05/26/06 + + + + + +# Try to identify USBank.com e-mail +header __RCVD_USBANK Received =~ /usbank\.com/i +header __FROM_USBANK From =~ /usbank\.com/i +uri __URI_USBANK /usbank\.com/i +meta SARE_FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK) +score SARE_FORGED_USBANK 4.4 + +#--------------------------------------------------------------------------------------------------# +## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ## +#--------------------------------------------------------------------------------------------------# + +# Try to identify PAYPAL spoofs by looking for elements which should always appear. +# If we have a From and an URL of one of these guys, we should also have a received line to match! +header __RCVD_PAYPAL Received =~ /\.(?:paypal|postdirect)\.com/i +header __FROM_PAYPAL From =~ /[\@\.]paypa[l1i]\.co[mn]/i +uri __URI_PAYPAL /[^\@]paypa[lI1]\.com/i + +meta SARE_FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL) +describe SARE_FORGED_PAYPAL Message appears to be forged, (paypal.com) +score SARE_FORGED_PAYPAL 4.0 + +# If the message is whitelisted, add 100 points to over-ride whitelist. +meta SARE_FPP_BLOCKER (SARE_FORGED_PAYPAL && USER_IN_WHITELIST) +score SARE_FPP_BLOCKER 100 + + + +# Try to identify EBAY spoofs by looking for elements which should always appear. +# If we have a From and an URL of one of these guys, we should also have a received line to match! +header __RCVD_EBAY1 Received =~ /(?:email)?[^\s@]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i +header __RCVD_EBAY2 Received =~ /ebay\.(?:easynet\.de|emarsys\.net)/ +header __RCVD_EBAY3 Received =~ /sjc\.liveworld\.com/ +meta __RCVD_EBAY (__RCVD_EBAY1 || __RCVD_EBAY2 || __RCVD_EBAY3) +header __FROM_EBAY From =~ /\@(?:e?mail.?)?ebay\.c/i +uri __URI_EBAY /\.ebay(?:static)?\.com/i + +meta SARE_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY) +describe SARE_FORGED_EBAY Message appears to be forged, (ebay.com) +score SARE_FORGED_EBAY 4.0 + +meta SARE_FEB_BLOCKER (SARE_FORGED_EBAY && USER_IN_WHITELIST) +score SARE_FEB_BLOCKER 100 + + + +# Try to identify SUNTRUST spoofs by looking for elements which should always appear. +# If we have a From and an URL of one of these guys, we should also have a received line to match! +header __RCVD_SUNTRUST Received =~ /\.suntrust\.com/i +header __FROM_SUNTRUST From =~ /[\@\.]suntrust\.com/i +uri __URI_SUNTRUST /suntrust[a-z0-9-]{0,25}\.com/i +meta SARE_FORGED_SUNTRUST (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST) +describe SARE_FORGED_SUNTRUST Message appears to be forged, (suntrust.com) +score SARE_FORGED_SUNTRUST 4.0 + +meta SARE_SUN_BLOCKER (SARE_FORGED_SUNTRUST && USER_IN_WHITELIST) +score SARE_SUN_BLOCKER 100 + + + + +header __RCVD_WACHOVIA Received =~ /wachovia\.com[^\)]/i +header __FROM_WACHOVIA From =~ /\@wachovia\.com/i +uri __URI_WACHOVIA /\bwachovia\.com/i +meta SARE_FORGED_WACHOVIA (__FROM_WACHOVIA && __URI_WACHOVIA && !__RCVD_WACHOVIA) +score SARE_FORGED_WACHOVIA 3.0 +#counts SARE_FORGED_WACHOVIA 0s/0h of 82118 corpus (57948s/24170h ML) 04/03/06 +#counts SARE_FORGED_WACHOVIA 0s/0h of 12246 corpus (6574s/5672h CT) 04/03/06 +#counts SARE_FORGED_WACHOVIA 0s/0h of 10377 corpus (7302s/3075h ) 04/03/06 +#counts SARE_FORGED_WACHOVIA 0s/0h of 22951 corpus (17237s/5714h MY) 04/03/06 +#counts SARE_FORGED_WACHOVIA 2s/0h of 41810 corpus (34135s/7675h FVGT) 04/03/06 + + + + + +# Try to identify CHASEBANK spoofs by looking for elements which should always appear. +# If we have a From and an URL of one of these guys, we should also have a received line to match! +header __RCVD_CHASE_A Received =~ /[^@]\bchase\.com/i +header __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i +meta __RCVD_CHASE (__RCVD_CHASE_A || __RCVD_CHASE_B) +header __FROM_CHASE From =~ /\bchase\.com/i +uri __URI_CHASE m'(?:\.chase\.com|http://chase)'i +meta SARE_FORGED_CHASE (__FROM_CHASE && __URI_CHASE && (!__RCVD_CHASE && !__RCVD_BANKONE)) +describe SARE_FORGED_CHASE Message appears to be forged, (chase.com) +score SARE_FORGED_CHASE 3.4 + +header __RCVD_BANKONE Received =~ /\bbankone\.com/i +header __FROM_BANKONE From =~ /\bbankone\.com/i +uri __URI_BANKONE /\.bankone\.com/i +meta SARE_FORGED_BANK1 (__FROM_BANKONE && __URI_BANKONE && (!__RCVD_CHASE && !__RCVD_BANKONE)) +score SARE_FORGED_BANK1 3.0 + + + + +# Try to identify CITIBANK spoofs by looking for elements which should always appear. +# If we have a From and an URL of one of these guys, we should also have a received line to match! +header __RCVD_CITIBNK_A Received =~ /(?:citi(?:bank(?:cards)?|cards|corp|bankcards)|acxiom|c2it)\.com/i +header __RCVD_CITIBNK_B Received =~ /bridgetrack\.com/i +meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || __RCVD_CHASE_B) +header __FROM_CITIBNK From =~ /\bciti(?:bank)?(?:cards)?\.com/i +uri __URI_CITIBNK /\bciti(?:bank)?\.com/i +meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK) +describe SARE_FORGED_CITI Message appears to be forged, (citibank.com) +score SARE_FORGED_CITI 4.0 + +meta SARE_CIT_BLOCKER (SARE_FORGED_CITI && USER_IN_WHITELIST) +score SARE_CIT_BLOCKER 100 + + + + + + + + +# I'm testing a few new variations of these rules, trying to find people just spoofing the from headers. +meta SARE_FORGED_PAYPAL_C (__FROM_PAYPAL && !__RCVD_PAYPAL) +describe SARE_FORGED_PAYPAL_C Has Paypal from, no Paypal received header. +score SARE_FORGED_PAYPAL_C 1.3 + +# About.com has plenty of spams which spoof their address. Here's a set of rules just for them ;) +header __RCVD_ABOUT_COM Received =~ /\.about\.com/i +header __FROM_ABOUT_COM From =~ /\babout\.com/i +uri __URI_ABOUT_COM /\.about\.com/i +meta SARE_FORGED_ABOUT (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM) +describe SARE_FORGED_ABOUT Message appears to be forged, (about.com) +score SARE_FORGED_ABOUT 2.879 + + +# another spoof using forms +rawbody __FHAS_HTML_FORM /<form/i +rawbody __FHAS_EBAY_FORM /<form (?:name="\w{4,20}"\s)?(?:method="?post"?\s)?action="?http:\/\/[^.]{3,7}\.ebay\.com[^>]{4,125}>/i +meta __HASFORM_NOT_EBAY (__FHAS_HTML_FORM && !__FHAS_EBAY_FORM) +meta SARE_SPOOF_EBAYFORM (__FROM_EBAY && __HASFORM_NOT_EBAY) +score SARE_SPOOF_EBAYFORM 1.495 + + +# New set for spoofs + +header __RCVD_2CHECKOUT Received =~ /\.2checkout\.com/i +header __FROM_2CHECKOUT From =~ /\@2checkout\.com/i +uri __URI_2CHECKOUT /\b2checkout\.com/i +meta SARE_FORGED_2CHK (__FROM_2CHECKOUT && __URI_2CHECKOUT && !__RCVD_2CHECKOUT) +score SARE_FORGED_2CHK 3.0 + +header __RCVD_2CO Received =~ /\.2co\.com/i +header __FROM_2CO From =~ /\@2co\.com/i +uri __URI_2CO /\b2co\.com/i +meta SARE_FORGED_2CO (__FROM_2CO && __URI_2CO && !__RCVD_2CO) +score SARE_FORGED_2CO 3.0 + +header __RCVD_53 Received =~ /\.53\.com/i +header __FROM_53 From =~ /\@53\.com/i +uri __URI_53 /\b53\.com/i +meta SARE_FORGED_53 (__FROM_53 && __URI_53 && !__RCVD_53) +score SARE_FORGED_53 3.0 + +header __RCVD_AMAZON Received =~ /\.amazon\.com/i +header __FROM_AMAZON From =~ /\@amazon\.com/i +uri __URI_AMAZON /\bamazon\.com/i +meta SARE_FORGED_AMAZON (__FROM_AMAZON && __URI_AMAZON && !__RCVD_AMAZON) +score SARE_FORGED_AMAZON 3.0 + +header __RCVD_AMERITR Received =~ /\.ameritrade\.com/i +header __FROM_AMERITR From =~ /\@ameritrade\.com/i +uri __URI_AMERITR /\bameritrade\.com/i +meta SARE_FORGED_AMERIT (__FROM_AMERITR && __URI_AMERITR && !__RCVD_AMERITR) +score SARE_FORGED_AMERIT 3.0 + +header __RCVD_AMEX Received =~ /\.americanexpress\.com/i +header __FROM_AMEX From =~ /\@americanexpress\.com/i +uri __URI_AMEX /\bamericanexpress\.com/i +meta SARE_FORGED_AMEX (__FROM_AMEX && __URI_AMEX && !__RCVD_AMEX) +score SARE_FORGED_AMEX 3.0 + +header __RCVD_BANKNORTH Received =~ /\.banknorth\.com/i +header __FROM_BANKNORTH From =~ /\@banknorth\.com/i +uri __URI_BANKNORTH /\bbanknorth\.com/i +meta SARE_FORGED_BANK_N (__FROM_BANKNORTH && __URI_BANKNORTH && !__RCVD_BANKNORTH) +score SARE_FORGED_BANK_N 3.0 + +header __RCVD_BANKOFA1 Received =~ /\.bankofamerica\.com/i +header __RCVD_BANKOFA2 Received =~ /\.customercenter\.net/i +meta __RCVD_BANKOFA (__RCVD_BANKOFA1 || __RCVD_BANKOFA2) +header __FROM_BANKOFA From =~ /[\@\.]bankofamerica\.com/i +uri __URI_BANKOFA /\bbankofamerica\.com/i +meta SARE_FORGED_BANKOFA (__FROM_BANKOFA && __URI_BANKOFA && !__RCVD_BANKOFA) +score SARE_FORGED_BANKOFA 3.0 + + +header __RCVD_BANKOFO Received =~ /\.bankofoklahoma\.com/i +header __FROM_BANKOFO From =~ /\@bankofoklahoma\.com/i +uri __URI_BANKOFO /\bbankofoklahoma\.com/i +meta SARE_FORGED_BANKOFO (__FROM_BANKOFO && __URI_BANKOFO && !__RCVD_BANKOFO) +score SARE_FORGED_BANKOFO 3.0 + +header __RCVD_BANKOFW Received =~ /\.bankofthewest\.com/i +header __FROM_BANKOFW From =~ /\@bankofthewest\.com/i +uri __URI_BANKOFW /\bbankofthewest\.com/i +meta SARE_FORGED_BANKOFW (__FROM_BANKOFW && __URI_BANKOFW && !__RCVD_BANKOFW) +score SARE_FORGED_BANKOFW 3.0 + +header __RCVD_CAPITAL1 Received =~ /\.capitalone\.com/i +header __FROM_CAPITAL1 From =~ /\@capitalone\.com/i +uri __URI_CAPITAL1 /\bcapitalone\.com/i +meta SARE_FORGED_CAPITAL (__FROM_CAPITAL1 && __URI_CAPITAL1 && !__RCVD_CAPITAL1) +score SARE_FORGED_CAPITAL 3.0 + +header __RCVD_CFSBANK Received =~ /\.citizensfirstbank\.com/i +header __FROM_CFSBANK From =~ /\@citizensfirstbank\.com/i +uri __URI_CFSBANK /\bcitizensfirstbank\.com/i +meta SARE_FORGED_CFSBANK (__FROM_CFSBANK && __URI_CFSBANK && !__RCVD_CFSBANK) +score SARE_FORGED_CFSBANK 3.0 + +header __RCVD_CHARTER1 Received =~ /\.charterone(?:bank)?\.com/i +header __FROM_CHARTER1 From =~ /\@charterone(?:bank)?\.com/i +uri __URI_CHARTER1 /\bcharterone(?:bank)?\.com/i +meta SARE_FORGED_CHARTER (__FROM_CHARTER1 && __URI_CHARTER1 && !__RCVD_CHARTER1) +score SARE_FORGED_CHARTER 3.0 + +header __RCVD_CITIZENS Received =~ /\.citizensbank\.com/i +header __FROM_CITIZENS From =~ /\@citizensbank\.com/i +uri __URI_CITIZENS /\bcitizensbank\.com/i +meta SARE_FORGED_CITIZEN (__FROM_CITIZENS && __URI_CITIZENS && !__RCVD_CITIZENS) +score SARE_FORGED_CITIZEN 3.0 + +header __RCVD_COMFED Received =~ /\.comfedbank\.com/i +header __FROM_COMFED From =~ /\@comfedbank\.com/i +uri __URI_COMFED /\bcomfedbank\.com/i +meta SARE_FORGED_COMFED (__FROM_COMFED && __URI_COMFED && !__RCVD_COMFED) +score SARE_FORGED_COMFED 3.0 + +header __RCVD_COMMERCE Received =~ /\.commercebank\.com/i +header __FROM_COMMERCE From =~ /\@commercebank\.com/i +uri __URI_COMMERCE /\bcommercebank\.com/i +meta SARE_FORGED_COMMERCE (__FROM_COMMERCE && __URI_COMMERCE && !__RCVD_COMMERCE) +score SARE_FORGED_COMMERCE 3.0 + +header __RCVD_DISCOVER Received =~ /\.discovercard\.com/i +header __FROM_DISCOVER From =~ /\@discovercard\.com/i +uri __URI_DISCOVER /\bdiscovercard\.com/i +meta SARE_FORGED_DISCOVER (__FROM_DISCOVER && __URI_DISCOVER && !__RCVD_DISCOVER) +score SARE_FORGED_DISCOVER 3.0 + +header __RCVD_EGOLD Received =~ /\.e-goldk\.com/i +header __FROM_EGOLD From =~ /\@e-gold\.com/i +uri __URI_EGOLD /\be-gold\.com/i +meta SARE_FORGED_EGOLD (__FROM_EGOLD && __URI_EGOLD && !__RCVD_EGOLD) +score SARE_FORGED_EGOLD 3.0 + +header __RCVD_FDIC Received =~ /\.fdic\.gov/i +header __FROM_FDIC From =~ /\@fdic\.gov/i +uri __URI_FDIC /\bfdic\.gov/i +meta SARE_FORGED_FDIC (__FROM_FDIC && __URI_FDIC && !__RCVD_FDIC) +score SARE_FORGED_FDIC 3.0 + +header __RCVD_FLEET Received =~ /\.fleet(?:bank)?\.com/i +header __FROM_FLEET From =~ /\@fleet(?:bank)?\.com/i +uri __URI_FLEET /\bfleet(?:bank)?\.com/i +meta SARE_FORGED_FLEET (__FROM_FLEET && __URI_FLEET && !__RCVD_FLEET) +score SARE_FORGED_FLEET 3.0 + +header __RCVD_HUNTINGTON Received =~ /\.(?:exacttarget|huntington)\.com/i +header __FROM_HUNTINGTON From =~ /\@huntington\.com/i +uri __URI_HUNTINGTON /\bhuntington\.com/i +meta SARE_FORGED_HUNTIN (__FROM_HUNTINGTON && __URI_HUNTINGTON && !__RCVD_HUNTINGTON) +score SARE_FORGED_HUNTIN 3.0 + +header __RCVD_KEYBANK Received =~ /\.keybank\.com/i +header __FROM_KEYBANK From =~ /\@keybank\.com/i +uri __URI_KEYBANK /\bkeybank\.com/i +meta SARE_FORGED_KEY (__FROM_KEYBANK && __URI_KEYBANK && !__RCVD_KEYBANK) +score SARE_FORGED_KEY 3.0 + +header __RCVD_LASALLE Received =~ /\.lasallebank\.com/i +header __FROM_LASALLE From =~ /\@lasallebank\.com/i +uri __URI_LASALLE /\blasallebank\.com/i +meta SARE_FORGED_LASAL (__FROM_LASALLE && __URI_LASALLE && !__RCVD_LASALLE) +score SARE_FORGED_LASAL 3.0 + +header __RCVD_MIBANK Received =~ /\.mibank\.com/i +header __FROM_MIBANK From =~ /\@mibank\.com/i +uri __URI_MIBANK /\bmibank\.com/i +meta SARE_FORGED_MIBANK (__FROM_MIBANK && __URI_MIBANK && !__RCVD_MIBANK) +score SARE_FORGED_MIBANK 3.0 + +header __RCVD_MBNA Received =~ /\.mbna\.com/i +header __FROM_MBNA From =~ /\@mbna\.com/i +uri __URI_MBNA /\bmbna\.com/i +meta SARE_FORGED_MBNA (__FROM_MBNA && __URI_MBNA && !__RCVD_MBNA) +score SARE_FORGED_MBNA 3.0 + +header __RCVD_NCUA Received =~ /\.ncua\.gov/i +header __FROM_NCUA From =~ /\@ncua\.gov/i +uri __URI_NCUA /\bncua\.gov/i +meta SARE_FORGED_NCUA (__FROM_NCUA && __URI_NCUA && !__RCVD_NCUA) +score SARE_FORGED_NCUA 3.0 + +header __RCVD_REGIONS Received =~ /\.regionsbank\.com/i +header __FROM_REGIONS From =~ /\@regionsbank\.com/i +uri __URI_REGIONS /\bregionsbank\.com/i +meta SARE_FORGED_REGION (__FROM_REGIONS && __URI_REGIONS && !__RCVD_REGIONS) +score SARE_FORGED_REGION 3.0 + +header __RCVD_SKYBANK Received =~ /\.sky(?:-bank|fi)\.com/i +header __FROM_SKYBANK From =~ /\@sky(?:-bank|fi)\.com/i +uri __URI_SKYBANK /\bsky(?:-bank|fi)\.com/i +meta SARE_FORGED_SKY (__FROM_SKYBANK && __URI_SKYBANK && !__RCVD_SKYBANK) +score SARE_FORGED_SKY 3.0 + +header __RCVD_STRUST Received =~ /\.southtrust\.com/i +header __FROM_STRUST From =~ /\@southtrust\.com/i +uri __URI_STRUST /\bsouthtrust\.com/i +meta SARE_FORGED_STRUST (__FROM_STRUST && __URI_STRUST && !__RCVD_STRUST) +score SARE_FORGED_STRUST 3.0 + +header __RCVD_TCFBANK Received =~ /\.tcfbank\.com/i +header __FROM_TCFBANK From =~ /\@tcfbank\.com/i +uri __URI_TCFBANK /\btcfbank\.com/i +meta SARE_FORGED_TCF (__FROM_TCFBANK && __URI_TCFBANK && !__RCVD_TCFBANK) +score SARE_FORGED_TCF 3.0 + +header __RCVD_VISA Received =~ /\.visa\.com/i +header __FROM_VISA From =~ /\@visa\.com/i +uri __URI_VISA /visa/i +meta SARE_FORGED_VISA (__FROM_VISA && __URI_VISA && !__RCVD_VISA) +score SARE_FORGED_VISA 3.0 + +header __RCVD_WELLS Received =~ /\.wellsfargo\.com/i +header __FROM_WELLS From =~ /\@wellsfargo\.com/i +uri __URI_WELLS /\bwellsfargo\.com/i +meta SARE_FORGED_WELLS (__FROM_WELLS && __URI_WELLS && !__RCVD_WELLS) +score SARE_FORGED_WELLS 4.209 + +header __RCVD_WESTERN Received =~ /\.westernunion\.com/i +header __FROM_WESTERN From =~ /\@westernunion\.com/i +uri __URI_WESTERN /\bwesternunion\.com/i +meta SARE_FORGED_WESTERN (__FROM_WESTERN && __URI_WESTERN && !__RCVD_WESTERN) +score SARE_FORGED_WESTERN 3.0 + + + + + + + + +# Catch Common banks with IP address for URL. +meta __POPULAR_BANKS (__URI_PAYPAL || __URI_EBAY || __URI_CITIBNK || __URI_SUNTRUST || __URI_CHASE || __URI_BANKONE || __URI_ABOUT_COM || __URI_2CHECKOUT || __URI_2CO || __URI_53 || __URI_AMAZON || __URI_AMERITR || __URI_AMEX || __URI_BANKNORTH || __URI_BANKOFA || __URI_BANKOFO || __URI_BANKOFW || __URI_CAPITAL1 || __URI_CFSBANK || __URI_CHARTER1 || __URI_CITIZENS || __URI_COMFED || __URI_COMMERCE || __URI_DISCOVER || __URI_EGOLD || __URI_FDIC || __URI_FLEET || __URI_HUNTINGTON || __URI_KEYBANK || __URI_LASALLE || __URI_MIBANK || __URI_MBNA || __URI_NCUA || __URI_REGIONS || __URI_SKYBANK || __URI_STRUST || __URI_TCFBANK || __URI_VISA || __URI_WELLS || __URI_WESTERN) +meta SARE_BANK_URI_IP (__POPULAR_BANKS && __URI_IS_IP) +score SARE_BANK_URI_IP 0.653 + + + + + + + + +# Added 22-4-2004 by Jesse Houwing +uri SARE_SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i +describe SARE_SPOOF_COM2COM a.com.b.com +score SARE_SPOOF_COM2COM 2.536 + +uri SARE_SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i +describe SARE_SPOOF_COM2OTH a.com.b.c +score SARE_SPOOF_COM2OTH 2.536 + +uri SARE_SPOOF_OURI m{^(?:h|%68|%48)(?:t|%74|%54)(?:t|%74|%54)(?:p|%70|%50)(?:s|%73|%53)?(?::|%3a)(?:/|%2f){0,2}(?:[^@]+@)*?(?:a-z0-9_%-]+?(?:\.|%2e)){2,}(?:org|com|www)(?!\.edgesuite\.net)(?:(?:\.|%2e)[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i +describe SARE_SPOOF_OURI URL has items in odd places +score SARE_SPOOF_OURI 2.536 + + +# Added 07/28/2005 submitted by e-mail +header __LOCAL_PP_ISFROMPP From:addr =~ /\@(?:paypal|ebay)\.com$/i +header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i +header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i +body __LOCAL_PP_B_UPD m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i +body __LOCAL_PP_B_ATT m'one or more attempts'i +body __LOCAL_PP_B_ACT m'unusual activity'i +uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i +uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal|ebay)\.com)(?:[A-Za-z0-9-_\.]+)'i + +meta SARE_SPOOF_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL) +meta SARE_SPOOF_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL)) + +score SARE_SPOOF_BADURL 1.059 +score SARE_SPOOF_BADADDR 1.059 + + +# Describe length test for 3.0 requirements: +# 12345678901234567890123456789012345678901234567890 +# 1 2 3 4 5 +# + +# EOF diff --git a/common/sare/70_sare_stocks.cf b/common/sare/70_sare_stocks.cf new file mode 100644 index 0000000..46e906d --- /dev/null +++ b/common/sare/70_sare_stocks.cf @@ -0,0 +1,916 @@ +# SARE Stocks Ruleset for SpamAssassin +# Version: 01.01.02 +# Created: 2005-12-18 +# Modified: 2007-08-18 +# License: Artistic - http://www.rulesemporium.com/license.txt +# Current Maintainer: Sare Ninja - maddoc@maddoc.net +# Current Home: http://www.rulesemporium.com/rules/70_sare_stocks.cf +# Changes: +# 00.01.00 Created First Release +# 00.01.01 Removed some rules not belonging to this set. +# 00.01.02 Changed SARE_MLH_Stock2 t different regex pattern and +# 00.01.03 Added masschecker results. +# 00.01.04 Adjusted scores and redid some of Loren and Mikes rules. +# 00.01.05 Fixed Rule score typo +# 00.01.06 Adjusted Lorens rules and fixed overlaps +# 00.01.07 Adjusted some of Mikes rules +# 00.01.08 Redid a lot of the rules. Added Freds stock rules. Removed Docs rules. Added More Loren rules. Added Bob and Mike rules +# 00.01.09 Removed dupe rules +# 00.01.10 Added new Loren rules and adjusted scoring. +# 01.00.00 Rescored and final masschecked. +# 01.00.01 Tweaked some FP scores. Removed some overlap rules. +# 01.00.02 Rescored. +# 01.00.03 Added counts and some new rules. +# 01.00.04 Added new rule. +# 01.00.05 Added multiple rules from Loren and Chris S. Fixed one rule. +# 01.00.06 Added and replaced rules from Mike. +# 01.00.07 Fixed rules so they will now lint correctly with SA 3.2. Made changes to some rules to catch new stock spam. +# 01.00.08 Removed some low scoring rules which were hitting hams. Removed a couple reduntant Loren rules. Updated one of Mikes rules. +# 01.00.09 Updated one of Mikes rules. +# 01.00.10 Updated Mikes rules. +# 01.00.11 Updated Mikes obf rules. +# 01.00.12 Updated Mikes obf rules. Added new gif only stock rules from Dallas. +# 01.00.13 Added Freds counts from his other masschecker. Fixed Modified date. +# 01.00.14 Removed Dupe rules. Updated Raymonds rules. Updated Mikes obf rules. +# 01.00.15 Added more stock rules from Mike. Fixed Dallas's gif catcher to catch UPPER case. Updated Mike's obf rules. +# 01.00.16 Updated Mikes obf rules. +# 01.00.17 Updated Mikes obf rules. Updated Raymonds rules. Tweaked Dallas's gif catcher. +# 01.00.18 Updated Mikes obf rules. More tweaks of gif catcher. +# 01.00.19 Updated Mikes obf rules. +# 01.00.20 Updated Mikes obf rules. +# 01.00.21 Updated Mikes obf rules. +# 01.00.22 Updated Mikes obf rules. Updated Raymonds rules. +# 01.00.23 Updated Mikes obf rules. +# 01.00.24 Updated Mikes obf rules. +# 01.00.25 Updated Mikes obf rules. +# 01.00.26 Updated Mikes obf rules and SARE_MLH_Stock1 rule. +# 01.00.27 Updated Mikes obf rules. Updated Raymonds rules. +# 01.00.28 Tweeked GIF catcher rule. +# 01.00.29 Updated Mikes obf rules. +# 01.00.30 Updated Mikes obf rules. +# 01.00.31 Updated Mikes obf rules. +# 01.00.32 Updated Mikes obf rules. +# 01.00.33 Updated Mikes obf rules. +# 01.00.34 Updated Mikes obf rules. +# 01.00.35 Updated Mikes obf rules. +# 01.00.36 Fixed Updated Mikes obf rules. +# 01.00.37 Added Chris S. Rules to the mix. +# 01.00.38 Updated Mikes obf rules. +# 01.00.39 Updated Mikes obf rules. +# 01.00.40 Fixed error +# 01.00.41 Update Mikes obf rules. +# 01.00.42 Added new rule from Mike. +# 01.00.43 Added new rule from Mike. Update Raymonds rules. +# 01.00.44 Commented out some extra rules not being used. +# 01.00.45 Update Raymonds rules. +# 01.01.01 Massive updates. Removed some rules and re-scoring of others. +# 01.01.02 Updated PROLOSTOCK rules / Added SARE_AXBSTOCK_* rules [AXB] +# Comments are: +# This file is for catching pump and dump stock scam/spams + +# 2005-12-18 +# Contributed by Mike +header SARE_MLH_Stock1 Subject =~ /(penny )?st[o0]cks?|cribsheet|marcket|stox|small[ -]?cap|stock report/i +describe SARE_MLH_Stock1 Subject mentions stock or stock related words +score SARE_MLH_Stock1 0.87 +##counts SARE_MLH_Stock1 150s/6h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLH_Stock1 1635s/4h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_MLH_Stock1 1698s/9h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLH_Stock1 216s/6h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLH_Stock1 468s/11h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLH_Stock1 597s/4h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_MLH_Stock1 6169s/765h of 508570 corpus (180270s/328300h RM) 01/25/06 + +header SARE_MLH_Stock2 Subject =~ /micr[qw]?o-?caa?pk?s?/i +describe SARE_MLH_Stock2 Subject mentions microcap +score SARE_MLH_Stock2 1.66 +##counts SARE_MLH_Stock2 16s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLH_Stock2 181s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_MLH_Stock2 204s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLH_Stock2 25s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLH_Stock2 35s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLH_Stock2 74s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_MLH_Stock2 800s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 + + +body SARE_MLB_Stock1 /(?:Opening|Current|Target|Projected)[ _-]Price[ :;-]/i +score SARE_MLB_Stock1 1.48 +##counts SARE_MLB_Stock1 1903s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_MLB_Stock1 2146s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLB_Stock1 314s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLB_Stock1 46s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLB_Stock1 550s/96h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLB_Stock1 6900s/465h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_MLB_Stock1 884s/4h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_MLB_Stock2 /Short Term Target(?::| Price:)/i +score SARE_MLB_Stock2 1.66 +##counts SARE_MLB_Stock2 135s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_MLB_Stock2 268s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLB_Stock2 29s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLB_Stock2 2s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLB_Stock2 330s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLB_Stock2 623s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_MLB_Stock2 86s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_MLB_Stock3 /Last[ _](?:Trade|Price)[ :]/i +score SARE_MLB_Stock3 1.58 +##counts SARE_MLB_Stock3 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLB_Stock3 14s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_MLB_Stock3 172s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_MLB_Stock3 181s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLB_Stock3 1s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLB_Stock3 5s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLB_Stock3 95s/24h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_MLB_Stock4 /[0-9][ -]Day Target[(:?_| )Price]?: /i +score SARE_MLB_Stock4 1.66 +##counts SARE_MLB_Stock4 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_MLB_Stock4 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_MLB_Stock4 124s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_MLB_Stock4 127s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_MLB_Stock4 274s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_MLB_Stock4 46s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_MLB_Stock4 72s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 + +body SARE_MLB_Stock5 /^(?:St[o0]ck[_]Symb[o0]l|Symb[o0]l|S\s?y\s?m\s?b\s?[o0]\s?l|Ticker|OTC):/i +describe SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. +score SARE_MLB_Stock5 1.66 +#counts SARE_MLB_Stock5 182s/0h of 11694 corpus (6133s/5561h CT) 02/15/06 +#counts SARE_MLB_Stock5 80s/0h of 7686 corpus (5464s/2222h AxB) 02/16/06 +#counts SARE_MLB_Stock5 287s/0h of 27454 corpus (21822s/5632h MY) 02/15/06 +#counts SARE_MLB_Stock5 1556s/0h of 95397 corpus(56017s/39380h DOC) 02/15/06 +#counts SARE_MLB_Stock5 261s/0h of 27175 corpus (19315s/7860h FT) 02/15/06 +#counts SARE_MLB_Stock5 1421s/0h of 71535 corpus(56115s/15420h ML) 02/15/06 + + +# SARE_MLB_Stock6.cf -- autogenerated rule +# generated -- Thu Jan 18 04:26:53 2007 +# Currently contains 109 obfu stock tickers + + +body SARE_MLB_Stock6 /\b(?:(E\.GL\.y)|(Eg \|_ y)|(e g \| y)|(egly)|.P.\s+.P.\s+.?\s+.T.\s+.L.|.P.\s+.P.\s+.T.\s+.L.|A B S Y|A D\s+Y E|A G.A-O|A M S N|A.?E.?T.?R|A.?G.?A.?O|A.?L.?V.?N|A.?S.?I.?Q|A.?U.?N.?I|A.D.Y.E|B.?C.?L.?C|B.?M.?S.?N|C T X E|C.?F.?S.?C|C.?G.?D.?C|C.?N.?H.?C|C.?T.?F.?E|C.?V.?N.?.?I|C.?W.?T.?D|C.?Y.?H.?D|D K D Y|D M S I|E G L Y|E . G . \|_ . Y|E = G = L = Y|E.?R.?U.?G|E.G.L.Y|E.X.T.I|E.q.t.d|F C P G|F.?C.?Y.?I|G APJ|G.?C.?M.?E|G.?D.?K.?I|G.?G.?T.?S|G.?L.?X.?I|G.A.R.S|GA PJ|H N S T|H.?Y.?W.?I|I G A M|I Z O N|I.?N.?F.?X|I.?V.?A.?Y|I.?V.?H.?N|I.L.K.G|I\s*?F\s*?N\s*X|K K P T|K\. m A g|L I T L|M.?B.?W.?C|N . S . \|_ . T|N.~.S.~.\|__ .~.T|N N F C|N S \|_ T|N ~ S ~ \|__ ~ T|N.?H.?L.?G|N.M.E.N|N\s.{1,3}\sS\s.{1,3}\sL\s.{1,3}\sT|P P T \|_|P S U D|P.?I.?F.?R|P.P.T.L|Q.?E.?G.?Y|R C H N|R . T . C . I|R K L C|R T C [I\|]|R _~_ T _~_ C _~_ I |R.?R.?E.?F|R.K.L.C|R.T.C.I|S B B D|S R V N|S.?B.?N.?S|T.?Q.?W.?W|U M S Y|U S T A|V N B L|V.?G.?Y.?I|V.?M.?C.?I|W T A F|W.?B.?R.?S|W.?E.?X.?E|W.N.C.P|[Cc].?[Dd].?[Pp].?[Nn]|[Hh][Ll][Vv][Cc]|[Pp] [Gg] [Cc] [Nn]|[Pp]\s*[Pp]\s*[Tt]\s*[Ll\|]|\(PPT\|_\)|\(pptl\)|\bn.s.?l.t\b|\|\\\| .~. S .~. \|_ .~. T|_N S L T_|__ \|\\\| S L T|`P...`P...`T...`L|cgdc|e g !_ y|f.?c.?y.?i|hlun|r . t . c . i|r\s{1,3}t\s{1,3}c\s{1,3}i|v n b \||vnb\|)\b/ +describe SARE_MLB_Stock6 ML obfuscated ticker symbols +score SARE_MLB_Stock6 1.56 +#counts SARE_MLB_Stock6 33s/3h of 5376 corpus (1407s/3969h AxB) 09/11/06 +#counts SARE_MLB_Stock6 911s/0h of 20229 corpus (13902s/6327h CT) 09/10/06 +#counts SARE_MLB_Stock6 271s/3h of 44285 corpus (40325s/3960h AxB2) 09/11/06 +#counts SARE_MLB_Stock6 10378s/0h of 220512 corpus (170427s/50085h ML) 09/10/06 +#counts SARE_MLB_Stock6 4712s/1h of 230718 corpus (160414s/70304h DOC) 09/10/06 + +header SARE_MLH_Stock7 Subject =~ /\b(?:maven|savvy|aggressive) (?:investors?|newsletter|microcap|pinksheet)/i +describe SARE_MLH_Stock7 Various common stock subjects +score SARE_MLH_Stock7 1.66 +#counts SARE_MLH_Stock7 12s/0h of 22943 corpus (17230s/5713h MY) 03/09/06 +#counts SARE_MLH_Stock7 1s/0h of 8715 corpus (6489s/2226h AxB) 03/10/06 +#counts SARE_MLH_Stock7 2s/0h of 12237 corpus (6565s/5672h CT) 03/09/06 +#counts SARE_MLH_Stock7 4s/0h of 15635 corpus (7818s/7817h FT) 03/10/06 +#counts SARE_MLH_Stock7 60s/0h of 106455 corpus (67078s/39377h DOC) 03/09/06 +#counts SARE_MLH_Stock7 80s/0h of 104557 corpus (96562s/7995h FVGT) 03/10/06 +#counts SARE_MLH_Stock7 84s/0h of 92299 corpus (73883s/18416h ML) 03/09/06 + +header SARE_MLH_Stock8 Subject =~ /platinum report|platinum stock (?:report|newsletter)/i +describe SARE_MLH_Stock8 Platinum !! +score SARE_MLH_Stock8 1.66 +#counts SARE_MLH_Stock8 0s/0h of 8715 corpus (6489s/2226h AxB) 03/10/06 +#counts SARE_MLH_Stock8 25s/0h of 106455 corpus (67078s/39377h DOC) 03/09/06 +#counts SARE_MLH_Stock8 2s/0h of 15635 corpus (7818s/7817h FT) 03/10/06 +#counts SARE_MLH_Stock8 3s/0h of 22943 corpus (17230s/5713h MY) 03/09/06 +#counts SARE_MLH_Stock8 42s/0h of 92299 corpus (73883s/18416h ML) 03/09/06 +#counts SARE_MLH_Stock8 4s/0h of 12237 corpus (6565s/5672h CT) 03/09/06 +#counts SARE_MLH_Stock8 73s/0h of 104557 corpus (96562s/7995h FVGT) 03/10/06 + +header SARE_MLH_Stock9 Subject =~ /attention (?:all|all penny|- |investors|penny|small)/i +describe SARE_MLH_Stock9 Do I have your attention? +score SARE_MLH_Stock9 1.66 +#counts SARE_MLH_Stock9 13s/0h of 12237 corpus (6565s/5672h CT) 03/09/06 +#counts SARE_MLH_Stock9 182s/0h of 92299 corpus (73883s/18416h ML) 03/09/06 +#counts SARE_MLH_Stock9 215s/0h of 106455 corpus (67078s/39377h DOC) 03/09/06 +#counts SARE_MLH_Stock9 232s/0h of 104557 corpus (96562s/7995h FVGT) 03/10/06 +#counts SARE_MLH_Stock9 3s/0h of 15635 corpus (7818s/7817h FT) 03/10/06 +#counts SARE_MLH_Stock9 4s/0h of 8715 corpus (6489s/2226h AxB) 03/10/06 +#counts SARE_MLH_Stock9 9s/0h of 22943 corpus (17230s/5713h MY) 03/09/06 + +header SARE_MLH_Stock10 Subject =~ /bull'?s?\s?(?:market|stock|is back|eye|today|stocks?|hunter|rally)/i +describe SARE_MLH_Stock10 Yup, it's bull alright. +score SARE_MLH_Stock10 1.66 +#counts SARE_MLH_Stock10 10s/0h of 22943 corpus (17230s/5713h MY) 03/09/06 +#counts SARE_MLH_Stock10 1s/0h of 8715 corpus (6489s/2226h AxB) 03/10/06 +#counts SARE_MLH_Stock10 6s/0h of 15635 corpus (7818s/7817h FT) 03/10/06 +#counts SARE_MLH_Stock10 71s/0h of 106455 corpus (67078s/39377h DOC) 03/09/06 +#counts SARE_MLH_Stock10 7s/0h of 12237 corpus (6565s/5672h CT) 03/09/06 +#counts SARE_MLH_Stock10 92s/0h of 92299 corpus (73883s/18416h ML) 03/09/06 +#counts SARE_MLH_Stock10 99s/0h of 104557 corpus (96562s/7995h FVGT) 03/10/06 + +body SARE_MLB_Stock11 /TRADE OUT THE TOP/ +describe SARE_MLB_Stock11 GOOD LUCK & TRADE OUT THE TOP +score SARE_MLB_Stock11 2.22 +#counts SARE_MLB_Stock11 121s/0h of 15635 corpus (7818s/7817h FT) 03/10/06 +#counts SARE_MLB_Stock11 1s/0h of 22943 corpus (17230s/5713h MY) 03/09/06 +#counts SARE_MLB_Stock11 49s/0h of 12237 corpus (6565s/5672h CT) 03/09/06 +#counts SARE_MLB_Stock11 5s/0h of 8715 corpus (6489s/2226h AxB) 03/10/06 +#counts SARE_MLB_Stock11 638s/0h of 92299 corpus (73883s/18416h ML) 03/09/06 +#counts SARE_MLB_Stock11 730s/0h of 106455 corpus (67078s/39377h DOC) 03/09/06 +#counts SARE_MLB_Stock11 769s/0h of 104557 corpus (96562s/7995h FVGT) 03/10/06 + + +header SARE_STOCK_MSG_ID2 Message-Id =~ m'thebat.net' +describe SARE_STOCK_MSG_ID2 Msg ID 'thebat.net' +score SARE_STOCK_MSG_ID2 1.66 +#counts SARE_STOCK_MSG_ID2 5154s/0h of 343238 corpus (252868s/90370h DOC) 01/07/07 +#counts SARE_STOCK_MSG_ID2 464s/0h of 20458 corpus (13941s/6517h CT) 01/07/07 +#counts SARE_STOCK_MSG_ID2 18s/0h of 9851 corpus (4594s/5257h AxB) 01/07/07 +#counts SARE_STOCK_MSG_ID2 2340s/0h of 95973 corpus (91391s/4582h AxB2) 01/07/07 +#counts SARE_STOCK_MSG_ID2 10154s/0h of 341479 corpus (263508s/77971h ML) 01/07/07 + + +#----------------------------------------------------------------------------------- + # 12/18/05 +## Contributed by Loren +# more stock spam goodies + +header SARE_LWMICROCAP Subject =~ /Miv?cr[o0][ _-]?(?:ca|ac)u?p/i +score SARE_LWMICROCAP 1.66 +##counts SARE_LWMICROCAP 16s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWMICROCAP 186s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWMICROCAP 210s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWMICROCAP 26s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWMICROCAP 38s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWMICROCAP 75s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWMICROCAP 808s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_LWSYMFMT /\b[A-Z0-9]{4,5}\s?\.\s?(?i:PK|[O0]B)\b/ # no /i +score SARE_LWSYMFMT 1.64 +##counts SARE_LWSYMFMT 143s/1h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSYMFMT 1927s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWSYMFMT 2316s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSYMFMT 240s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSYMFMT 567s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSYMFMT 622s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWSYMFMT 9380s/11h of 508570 corpus (180270s/328300h RM) 01/25/06 + +# 02/19/06 +# More crappy obfuscation in the stock discaimer. Use @ for a and * for e. + +body SARE_LW1933 /[S\$]\s?[e3\*]\s?c\s?u\s?r\s?[i1!]\s?t\s?[i1!]\s?[e3\*]\s?[s\$]\s+(?:[E3\*]\s?x\s?c\s?h\s?[a4\@]\s?n\s?g\s?[e3\*]\s+)?[A4\@]?\s?c\s?t\s+[o0]f\s+(?:[1l|]933|n\s?[i1]\s?n\s?[e3\*]\s?t\s?[e3\*]\s?[e3\*]\s?n t\s?h\s?[i1!]\s?r\s?t\s?y t\s?h\s?r\s?[e3\*]\s?[e3\*])/is +score SARE_LW1933 1.41 +describe SARE_LW1933 Reference to Securities Act +#counts SARE_LW1933 1308s/0h of 97511 corpus (58134s/39377h DOC) 02/19/06 +#counts SARE_LW1933 1321s/0h of 74735 corpus (58806s/15929h ML) 02/19/06 +#counts SARE_LW1933 153s/0h of 27462 corpus (21821s/5641h MY) 02/19/06 +#counts SARE_LW1933 181s/0h of 11695 corpus (6133s/5562h CT) 02/19/06 +#counts SARE_LW1933 911s/0h of 27185 corpus (19320s/7865h FT) 02/20/06 +#counts SARE_LW1933 9s/0h of 7765 corpus (5542s/2223h AxB) 02/20/06 + +body SARE_LWWATCHIT /Watch\s+this\s+one\s+(?:on [mtwf]|trade|ALL\s+WEEK)/i +score SARE_LWWATCHIT 1.66 +##counts SARE_LWWATCHIT 1261s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWWATCHIT 1263s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWWATCHIT 141s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWWATCHIT 303s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWWATCHIT 382s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWWATCHIT 5426s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWWATCHIT 83s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 + +body SARE_LWTARGETP /target[ _-]price:/i +score SARE_LWTARGETP 1.66 +##counts SARE_LWTARGETP 2527s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWTARGETP 39s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWTARGETP 507s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWTARGETP 509s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWTARGETP 537s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWTARGETP 75s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWTARGETP 8s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 + +body SARE_LWSAFEH /Safe Harbor Statement:/i +score SARE_LWSAFEH 1.66 +##counts SARE_LWSAFEH 1170s/2h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWSAFEH 14s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSAFEH 1s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSAFEH 1s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWSAFEH 4s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSAFEH 4s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSAFEH 53s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 + +# body SARE_LWREDHOT /red hot homeland/i +# score SARE_LWREDHOT 1.66 +##counts SARE_LWREDHOT 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWREDHOT 12s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWREDHOT 13s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWREDHOT 18s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWREDHOT 253s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWREDHOT 263s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWREDHOT 952s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_LWPINK /\bPINK\s*SHEETS\b/i +score SARE_LWPINK 1.59 +##counts SARE_LWPINK 125s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWPINK 1498s/9h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWPINK 14s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWPINK 194s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWPINK 205s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWPINK 2s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWPINK 31s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +body SARE_LWEMERGE /\bemerging .{0,40}company\b/i +score SARE_LWEMERGE 0.92 +##counts SARE_LWEMERGE 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWEMERGE 1463s/5h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWEMERGE 23s/1h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWEMERGE 2s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWEMERGE 2s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWEMERGE 86s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWEMERGE 92s/1h of 86182 corpus (46804s/39378h DOC) 01/25/06 + +body SARE_LWOILCO /(?:oil|gas)\s+company/i +score SARE_LWOILCO 1.13 +##counts SARE_LWOILCO 120s/2h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWOILCO 151s/3h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWOILCO 1748s/313h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWOILCO 1s/16h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWOILCO 2s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWOILCO 39s/2h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWOILCO 7s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +body SARE_LWCURTRADE /currently trading/i +score SARE_LWCURTRADE 1.61 +##counts SARE_LWCURTRADE 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWCURTRADE 1857s/5h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWCURTRADE 194s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWCURTRADE 200s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWCURTRADE 31s/1h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWCURTRADE 3s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWCURTRADE 9s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +header SARE_LWSKY Subject =~ /skyr[o0]cket/i +score SARE_LWSKY 1.66 +##counts SARE_LWSKY 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSKY 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSKY 146s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWSKY 28s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSKY 2s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWSKY 3s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSKY 95s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 + +# body SARE_LWSHORT /(?:short|long|covering)\s+position/i +# score SARE_LWSHORT 0.833 +##counts SARE_LWSHORT 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSHORT 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSHORT 0s/1h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSHORT 16s/24h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWSHORT 1s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSHORT 35s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWSHORT 4s/1h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_LWDRIVE /drive (?:the|these|this) stock/i +score SARE_LWDRIVE 1.66 +##counts SARE_LWDRIVE 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWDRIVE 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWDRIVE 0s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWDRIVE 17s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWDRIVE 1s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWDRIVE 1s/5h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWDRIVE 3s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_LWSHARES /(?i:shares of)\s+[A-Z0-9]{4}/ # no /i +score SARE_LWSHARES 0.39 +##counts SARE_LWSHARES 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSHARES 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSHARES 13s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSHARES 1s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSHARES 27s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWSHARES 32s/26h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWSHARES 7s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_LWSHORTT /\bshort\s*term\b/i +score SARE_LWSHORTT 1.24 +##counts SARE_LWSHORTT 1026s/14h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWSHORTT 179s/10h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWSHORTT 20s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWSHORTT 291s/5h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWSHORTT 58s/10h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_LWSHORTT 846s/1h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWSHORTT 849s/465h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_LWPROJECTION /projection:?\s+\$/i +score SARE_LWPROJECTION 1.66 +##counts SARE_LWPROJECTION 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWPROJECTION 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWPROJECTION 22s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWPROJECTION 49s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWPROJECTION 68s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWPROJECTION 89s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWPROJECTION 9s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +# body SARE_LWPOISED /poised (?:to fly|for Big (?:gains|returns))/is +# score SARE_LWPOISED 1.66 +##counts SARE_LWPOISED 1081s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_LWPOISED 128s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_LWPOISED 172s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_LWPOISED 2s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_LWPOISED 2s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_LWPOISED 303s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_LWPOISED 9s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +body SARE_LWFORWARD /(?:4r?|f[o0]r)w[a4\@]?rd[ _-]?[l|][o0][o0]k[il1]ng[ _-]?[s\$]t[a4\@]?t[e3\*]m[e3\*]nt[s\$]/is +score SARE_LWFORWARD 1.11 +#counts SARE_LWFORWARD 183s/0h of 27462 corpus (21821s/5641h MY) 02/19/06 +#counts SARE_LWFORWARD 2026s/0h of 97511 corpus (58134s/39377h DOC) 02/19/06 +#counts SARE_LWFORWARD 2031s/0h of 74735 corpus (58806s/15929h ML) 02/19/06 +#counts SARE_LWFORWARD 255s/0h of 11695 corpus (6133s/5562h CT) 02/19/06 +#counts SARE_LWFORWARD 83s/1h of 7765 corpus (5542s/2223h AxB) 02/20/06 +#counts SARE_LWFORWARD 906s/0h of 27185 corpus (19320s/7865h FT) 02/20/06 + +body SARE_LWHUGE /huge (?:buy|growth|revenues|oppo|trade|pr\s)/i +score SARE_LWHUGE 1.54 +##counts SARE_LWHUGE 108s/0h of 37290 corpus (31815s/5475h MY) 02/02/06 +##counts SARE_LWHUGE 118s/0h of 11691 corpus (6130s/5561h CT) 02/02/06 +##counts SARE_LWHUGE 35s/0h of 26935 corpus (19146s/7789h FT) 02/03/06 +##counts SARE_LWHUGE 78s/0h of 3248 corpus (1027s/2221h AxB) 02/03/06 +##counts SARE_LWHUGE 876s/0h of 89538 corpus (50161s/39377h DOC) 02/02/06 +##counts SARE_LWHUGE 889s/0h of 59013 corpus (45512s/13501h ML) 02/03/06 +##counts SARE_LWHUGE 3317s/58h of 500113 corpus (227198s/272915h RM) 01/10/06 + +body SARE_LWACT_QUICKLY /\bact\s+quick(?:ly)?/i +describe SARE_LWACT_QUICKLY Spammer thinks you should hurry. +score SARE_LWACT_QUICKLY 1.17 +#counts SARE_LWACT_QUICKLY 26s/11h of 27479 corpus (21834s/5645h MY) 02/13/06 +#counts SARE_LWACT_QUICKLY 3s/0h of 7663 corpus (5437s/2226h AxB) 02/13/06 +#counts SARE_LWACT_QUICKLY 51s/4h of 27181 corpus (19321s/7860h FT) 02/13/06 +#counts SARE_LWACT_QUICKLY 637s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 +#counts SARE_LWACT_QUICKLY 66s/0h of 11699 corpus (6139s/5560h CT) 02/13/06 +#counts SARE_LWACT_QUICKLY 733s/0h of 94330 corpus (54945s/39385h DOC) 02/13/06 + +#2006-02-19 + +## header __RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(?:\.[a-z_]+)?\@/ +## describe __RATWR19_MESSID Message-ID: rat patrn (XXXXXXXXXXXX[.xxxxxx]@) + +# header __RATWARE_0_TZ_DATE Date =~ /\s\+0000$/ + +## header __SARE_MULT_RATW_02A ALL =~ m'\bMessage-ID: <[A-Z]{28}\.([^>]+)>\n.*\bFrom: \"[^\"]+\" <\1>\n's +## header __SARE_MULT_RATW_02B ALL =~ m'\bFrom: \"[^\"]+\" <([^>]+)>\n.*\bMessage-ID: <[A-Z]{28}\.\1>\n's + +## header __RATWR20_MESSID Message-ID =~ /<[A-Z]{21,38}[^\@>]*\@/ + +# meta LW_STOCK_SPAM4 __RATWARE_0_TZ_DATE && MIME_BASE64_TEXT +# score LW_STOCK_SPAM4 1.66 +# describe LW_STOCK_SPAM4 Yup, its a spam! +#counts LW_STOCK_SPAM4 0s/0h of 27462 corpus (21821s/5641h MY) 02/19/06 +#counts LW_STOCK_SPAM4 193s/0h of 11695 corpus (6133s/5562h CT) 02/19/06 +#counts LW_STOCK_SPAM4 2014s/0h of 74735 corpus (58806s/15929h ML) 02/19/06 +#counts LW_STOCK_SPAM4 2s/0h of 7765 corpus (5542s/2223h AxB) 02/20/06 +#counts LW_STOCK_SPAM4 353s/0h of 97511 corpus (58134s/39377h DOC) 02/19/06 +#counts LW_STOCK_SPAM4 509s/0h of 27185 corpus (19320s/7865h FT) 02/20/06 + + +# 2005-12-27 +# Contributed by Raymond +# Updated by AXB 8/18/2007 + +body SARE_PROLOSTOCK_SYM1 /\b(?:EXMT|PRTH|SZSN|WWNG|ERMX|SPHM|SGXI|TVEN|GPSI|A0LB1T|FDEG|QMMG|DPWI|BVYH|NWVM|FBVG|CDYV|EXVG|NNYR|OPLO|VYEY|UTEV|MHII|MGOA|KRXR|CBFE|QCPC|MBWC|TGVI|XNYH|HXPN|PGGG|VSUS|BLNM|NXSF|UDTT|TFZP|MXXR|NHVP|VGYI|CRSVF|CYHD|MXXR|ALVN|TMXO|HLUN|CDPN|KMAG|EQTD|QEGY|SRVN|WYPH|ILKG|HNST|DIAAF|FCYI|CTBG|LITL|HYWI|MGMX|SYNI|DGKO|AVCP|TGLE|TKTJF|CTXE|CTFE|HYBT|RKLC|KDNG|PNAMF|FPPL|FCPG|PHDTF|HWYI|ZLDV|WDCV|ILKG|AMMX|UMSY|PZFC|RWGI|IFNX|IPKL|CHMS|VNBL|PPTL|CDGT|XMON|STWG|APWL|TEDG|SPZI|TOTG|WWBP|CWTD|MWIS|CGKY|CDVM|GFCI|SLVG|WNWG|AXCP|WNWG|JCDS|HLVC|WNWG|CYI0|KKPT|GFPE|WSRA|CHNW|SPMP|DTGP|PGCN|KLGE|DKDY|RMVN|KSWJ|CTKR|NSLT|RLYC|PFNC)\b/ +score SARE_PROLOSTOCK_SYM1 1.63 +describe SARE_PROLOSTOCK_SYM1 Last week's hot stock scam + +body SARE_PROLOSTOCK_SYM2 /\b(?:P R T H|C H V C|N W V M|C E O A|C T C X|C N H C|A D D L|T J S S|A E T R|T X H E|C R S V F|W B R S|S S U F|H L V C|G D K I|A G A 0|C G D C|H Y W I|I N F X|A B S Y|H L U N|F C Y I|A M S N|W T A F|H Y W I|C T X E|U S T A|I Z O N|I L K G|R T C I|P P T L|S B B D|E G L Y|A X C P|D K D Y|P G C N| M W I S|I G A M|F C P G|D M S I)\b/ +score SARE_PROLOSTOCK_SYM2 1.01 +describe SARE_PROLOSTOCK_SYM2 Last week's hot stock scam + +body SARE_PROLOSTOCK_SYM3 /\b(?:SYGT|CYTV|LTDI|MM1|OTLK|MRMT|SREA|VPSN|SGXI|MGOA|COPI|ONCO|UTEV|DSI|UTEV|TRDX|CHVC|ASVP|CPMM|TMMG|PLMA|CCTI|PPTM|SCPT|CBRP|MRDY|SGDS|NNCP|ACEN|LOMJ|CTCX|BLRS|IWRS|CBFE|SHMM|LOMJ|CBRJ|ARSS|HPGI|USSG|NNSR|VTSS|AFML|WDSC|MISJ|ADYN|TTEN|IDSM|PHYA|AMSN|FCNK|LVCC|HEGP|CNHC|CFSC|ADDL|GAMN|CNPM|PRGJ|BMSN|RREF|GSNH|TNEN|GITH|AGGI|AUNI|MPRG|DFSE|WBRS|KGBC|HBID|TXHE|BCLC|SBNS|WLON|TERX|XTPT|AETR|EGLY|SMKG|HMGP|SSUF|AGAO|DGTL|GDKI|NCSH|COSCO|PSUD|VNGP|ISMN|DBSJ|VMCI|BWEB|VMCI|HRRP|KMAG|EPLJ|ABSY|IBTY|NPWS|NNLX|SBRX|APPM|INFX|CGDC|DPER|VMCI|HBSC|DPGP|TAOL|SIKY|RTCI|NNPC|SWNM|pptl|AAPM|MDBF|ADYE|SPSY|NMEN|WNCP|IZON|MDEX|SNVH|IVHN|NNFC|FEKY|ADYE|ADCS|PFNC|CBIO|CRHI|SBBD|UBTA|EPRT|ADNL|ANDL|IGTS|EQSE|CEOA|RYNL|CFRI|NHLG|EXTI|CIVX|GAPJ|BCSM|SGWV|PDSC|IGAM|PIFR)\b/ +score SARE_PROLOSTOCK_SYM3 1.63 +describe SARE_PROLOSTOCK_SYM3 Last week's hot stock scam + +body SARE_PROLOSTOCK_SYM4 /\b(?:LTDI\.PK|PAYI\.OB|GDVM\.PK|ETMO\.PK|SPHM\.PK|ADOV\.OB|PHYA\.PK|DIAAF\.OB|RRGI\.PK|MRDY\.PK|GAMT\.OB|CBRP\.PK|NNCP\.PK|AMXG\.OB|SHDG\.PK|TAMG\.OB|PBOF\.OB|TICLF\.PK|MHII\.OB|PHYH\.PK|MISJ\.PK|QCPC\.PK|BMGP\.PK|WEXE\.PK|AGWS\.PK|LOMJ\.PK|ATVR\.PK|BLTA\.OB|CBFE\.PK|HSFI\.PK|MHII\.OB|BMOD\.OB|WDSC\.PK|NNYG\.PK|SRRL\.OB|FPMC\.PK|AMSN\.PK|Axtg\.pk|FCNK\.PK|THRI\.PK|MAKU\.OB|WHKA\.PK|BLNM\.OB|TORA\.OB|CNHC\.PK|IFLT\.PK|NHVP\.PK|AVLN\.OB|SGDS\.PK|FCTOA\.OB|SGDS\.PK|TERX\.OB|BMSN\.OB|TQWW\.PK|FTRM\.PK|SORD\.OB|TXHE\.PK|IVAYY\.PK|IVAY\.PK|VGYI\.PK|PGCN\.OB|GYI\.PK|AG HG|HLUN\.PK|WBRS\.PK|GDKI\.PK|ILKG\.PK|VNGP\.PK|DPER\.PK|FCYI\.PK|KMAG\.PK|DPEK\.PK|EPLJ\.PK|KFTG\.PK|HYW I|FCYI\.PK|LITL\.PK|TGVI\.PK|VMCI\.PK|AGHG\.PK|DPGP\.PK|AVCP\.PK|FPPL\.PK|CTFE\.PK|UBTA\.PK|Mhpt.pk|BDWH\.PK|BIGN.PK|CRHI\.OB|CBIO\.PK|SWNM.PK)\.?\b/ +score SARE_PROLOSTOCK_SYM4 1.66 +describe SARE_PROLOSTOCK_SYM4 Last week's hot stock scam + +# Added by AXB 8/18/2007 + +body SARE_AXBSTOCK_EXMT /\bE\s?\W?X\s?\W?M\s?\W?T\b/ +score SARE_AXBSTOCK_EXMT 1.66 + +body SARE_AXBSTOCK_EXMTPK /\bE\s?\W?X\s?\W?M\s?\W?T\s?\.\s?\W?P\s?\W?K\b/ +score SARE_AXBSTOCK_EXMTPK 1.66 + + +# 2005-12-27 +# ------FREDS STOCK RULESET-------- +body __SYMBOL_XXXX /\b(?:[sS][yY][mM][bB][o0O][lL1]|[Tt][iI1][cC][kK][eE][rR]):(?:\s|_)?[A-Z]{4}\b/ +body __STOCK_NAME /St[0O]ck Name:(?:\s|_)?[A-Z]{4}\b/ +body __WORD_STOCK_F /\bst[o0]cks?\b/i +meta STOCK_NAME_FVGT1 ((__SYMBOL_XXXX || __STOCK_NAME) && __WORD_STOCK_F) +score STOCK_NAME_FVGT1 1.66 +##counts STOCK_NAME_FVGT1 1637s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts STOCK_NAME_FVGT1 1984s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts STOCK_NAME_FVGT1 218s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts STOCK_NAME_FVGT1 21s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts STOCK_NAME_FVGT1 2963s/6h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts STOCK_NAME_FVGT1 426s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts STOCK_NAME_FVGT1 483s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 + +# 2005-12-28 +# Contributed by Bob and Mike +body SARE_RMML_Stock1 /0tc/i +score SARE_RMML_Stock1 0.21 +##counts SARE_RMML_Stock1 0s/1h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock1 14s/4h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock1 15s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock1 1s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock1 232s/96h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock1 26s/5h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock1 38s/6h of 17497 corpus (9723s/7774h FT) 01/25/06 + +body SARE_RMML_Stock2 /0pportunity/i +score SARE_RMML_Stock2 1.66 +##counts SARE_RMML_Stock2 118s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock2 1s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock2 9s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock2 2s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock2 35s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock2 41s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock2 44s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +# body SARE_RMML_Stock3 /more stock/i +# score SARE_RMML_Stock3 0.027 +##counts SARE_RMML_Stock3 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock3 0s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock3 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock3 0s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock3 1s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock3 1s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock3 4s/28h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock4 /stock (?:pick|trading)/i +score SARE_RMML_Stock4 1.54 +##counts SARE_RMML_Stock4 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock4 22s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock4 325s/86h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock4 40s/1h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock4 42s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock4 4s/1h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock4 61s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_RMML_Stock5 /trading gains/i +score SARE_RMML_Stock5 1.66 +##counts SARE_RMML_Stock5 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock5 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock5 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock5 0s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock5 26s/1h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock5 2s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock5 8s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 + +body SARE_RMML_Stock6 /1nvest/i +score SARE_RMML_Stock6 1.66 +##counts SARE_RMML_Stock6 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock6 126s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock6 15s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock6 166s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock6 64s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock6 8s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock6 9s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_RMML_Stock7 /(?:investor|trading) alert/i +score SARE_RMML_Stock7 1.64 +##counts SARE_RMML_Stock7 1s/1h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock7 217s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock7 242s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock7 24s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock7 372s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock7 48s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock7 553s/87h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock8 /stocks? (?:to|2) watch/i +score SARE_RMML_Stock8 1.66 +##counts SARE_RMML_Stock8 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock8 16s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock8 1s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock8 31s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock8 5s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock8 81s/4h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock8 8s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_RMML_Stock9 /0il/i +score SARE_RMML_Stock9 0.13 +##counts SARE_RMML_Stock9 12s/9h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock9 16s/2h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock9 1s/1h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock9 23s/1h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock9 39s/3h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock9 4s/1h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock9 782s/64h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock10 /buy-in/i +score SARE_RMML_Stock10 0.13 +##counts SARE_RMML_Stock10 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock10 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock10 0s/1h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock10 1s/16h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock10 2s/3h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock10 34s/72h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock10 35s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 + +# body SARE_RMML_Stock15 /(?:rise|jump).{1,20}in the first/i +# score SARE_RMML_Stock15 0.027 +##counts SARE_RMML_Stock15 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock15 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock15 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock15 1s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock15 1s/1h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock15 33s/12h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock15 3s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +# body SARE_RMML_Stock16 /make invest/i +# score SARE_RMML_Stock16 0.027 +##counts SARE_RMML_Stock16 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock16 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock16 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock16 0s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock16 10s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock16 19s/28h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock16 1s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 + +body SARE_RMML_Stock17 /(?:poised|positioned) to (?:make|double|move|jump)/i +score SARE_RMML_Stock17 0.64 +##counts SARE_RMML_Stock17 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock17 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock17 102s/39h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock17 3s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock17 6s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock17 6s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock17 6s/3h of 86182 corpus (46804s/39378h DOC) 01/25/06 + +# body SARE_RMML_Stock18 /(?:investors|reach).{1,20}illion/i +# score SARE_RMML_Stock18 0.222 +##counts SARE_RMML_Stock18 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock18 11s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock18 24s/5h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock18 39s/10h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock18 56s/5h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock18 5s/2h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock18 685s/922h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock19 /illion.{0,500}investor/i +score SARE_RMML_Stock19 0.22 +##counts SARE_RMML_Stock19 14s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock19 232s/531h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock19 48s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock19 6s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock19 73s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock19 7s/1h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock19 82s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 + +body SARE_RMML_Stock20 /winning trade/i +score SARE_RMML_Stock20 0.43 +##counts SARE_RMML_Stock20 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock20 1s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock20 1s/1h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock20 2s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock20 5s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock20 7s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock20 9s/17h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock21 /will th(?:is *(?:stock|small)|ese share)/i +score SARE_RMML_Stock21 1.66 +##counts SARE_RMML_Stock21 0s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock21 2s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock21 37s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock21 3s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock21 4s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock21 55s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock21 68s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock22 /\b(?:m.icro|mi.cro|mic.ro|micr.o).{0,5}cap/i +score SARE_RMML_Stock22 1.66 +##counts SARE_RMML_Stock22 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock22 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock22 144s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock22 2s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock22 45s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock22 78s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock22 8s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 + +body SARE_RMML_Stock23 /market (?:watch alert|wizard)/i +score SARE_RMML_Stock23 1.66 +##counts SARE_RMML_Stock23 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock23 0s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock23 1s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock23 3s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock23 40s/9h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock23 6s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock23 9s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 + +body SARE_RMML_Stock24 /\bs.?t.?0.?c.?k.?s?\b/i +score SARE_RMML_Stock24 1.66 +##counts SARE_RMML_Stock24 1588s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock24 1653s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock24 187s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock24 235s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock24 347s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock24 4378s/0h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock24 81s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 + +body SARE_RMML_Stock25 /undervalue/i +score SARE_RMML_Stock25 0.80 +##counts SARE_RMML_Stock25 110s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock25 11s/2h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock25 2147s/167h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock25 34s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock25 650s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock25 723s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock25 74s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 + +body SARE_RMML_Stock26 /hot (?:pick|penny|shot stock|stock)/i +score SARE_RMML_Stock26 1.49 +##counts SARE_RMML_Stock26 185s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock26 206s/1h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock26 264s/3h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock26 33s/1h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock26 46s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock26 64s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 +##counts SARE_RMML_Stock26 953s/37h of 508570 corpus (180270s/328300h RM) 01/25/06 + +body SARE_RMML_Stock27 /g.?[0o].?l.?d.? c.?[o0].?m.?p.?a.?n.?y/i +score SARE_RMML_Stock27 1.66 +##counts SARE_RMML_Stock27 0s/0h of 11519 corpus (6151s/5368h CT) 01/25/06 +##counts SARE_RMML_Stock27 10s/0h of 37304 corpus (31827s/5477h MY) 01/25/06 +##counts SARE_RMML_Stock27 22s/0h of 59166 corpus (45647s/13519h ML) 01/25/06 +##counts SARE_RMML_Stock27 2s/0h of 86182 corpus (46804s/39378h DOC) 01/25/06 +##counts SARE_RMML_Stock27 363s/4h of 508570 corpus (180270s/328300h RM) 01/25/06 +##counts SARE_RMML_Stock27 3s/0h of 17497 corpus (9723s/7774h FT) 01/25/06 +##counts SARE_RMML_Stock27 3s/0h of 5645 corpus (3421s/2224h AxB) 01/26/06 + +#----------------------------------------------------------------------------------- +# 03/07/2006 +## Contributed by Dallas + +meta __IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 ) + +full SARE_GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i +describe SARE_GIF_ATTACH Email has a inline gif +score SARE_GIF_ATTACH 1.42 +#counts SARE_GIF_ATTACH 107s/7h of 22956 corpus (17243s/5713h MY) 03/07/06 +#counts SARE_GIF_ATTACH 171s/7h of 12239 corpus (6565s/5674h CT) 03/07/06 +#counts SARE_GIF_ATTACH 1881s/7h of 105448 corpus (66068s/39380h DOC) 03/07/06 +#counts SARE_GIF_ATTACH 2743s/1h of 89274 corpus (71419s/17855h ML) 03/07/06 +#counts SARE_GIF_ATTACH 530s/5h of 15560 corpus (7747s/7813h FT) 03/07/06 +#counts SARE_GIF_ATTACH 736s/9h of 7196 corpus (4970s/2226h AxB) 03/08/06 +#counts SARE_GIF_ATTACH 1825s/5h of 50435 corpus (42435s/8000h FVGT) 03/08/06 + +meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) +describe SARE_GIF_STOX Inline Gif with little HTML +score SARE_GIF_STOX 1.66 +#counts SARE_GIF_STOX 1603s/0h of 105448 corpus (66068s/39380h DOC) 03/07/06 +#counts SARE_GIF_STOX 166s/0h of 12239 corpus (6565s/5674h CT) 03/07/06 +#counts SARE_GIF_STOX 174s/0h of 7196 corpus (4970s/2226h AxB) 03/08/06 +#counts SARE_GIF_STOX 2326s/1h of 89274 corpus (71419s/17855h ML) 03/07/06 +#counts SARE_GIF_STOX 486s/2h of 15560 corpus (7747s/7813h FT) 03/07/06 +#counts SARE_GIF_STOX 82s/1h of 22956 corpus (17243s/5713h MY) 03/07/06 +#counts SARE_GIF_STOX 1634s/2h of 50435 corpus (42435s/8000h FVGT) 03/08/06 + +# contributed by Chris S. +# 02/14/06 +body SARE_CSBIG /(?:explosive|huge|big|increased|great|incredible).(?:gains|returns)/is +describe SARE_CSBIG Only Spicy food gives me an Explosive Gain. +score SARE_CSBIG 1.65 +#counts SARE_CSBIG 345s/0h of 27181 corpus (19321s/7860h FT) 02/13/06 +#counts SARE_CSBIG 654s/0h of 94330 corpus (54945s/39385h DOC) 02/13/06 +#counts SARE_CSBIG 68s/0h of 11699 corpus (6139s/5560h CT) 02/13/06 +#counts SARE_CSBIG 775s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 +#counts SARE_CSBIG 81s/0h of 27479 corpus (21834s/5645h MY) 02/13/06 +#counts SARE_CSBIG 86s/0h of 7663 corpus (5437s/2226h AxB) 02/13/06 + +header SARE_CSNUMTAG Received =~ /from \-\d{5,}/ +describe SARE_CSNUMTAG Spamsign in header +score SARE_CSNUMTAG 1.66 +#counts SARE_CSNUMTAG 0s/0h of 11699 corpus (6139s/5560h CT) 02/13/06 +#counts SARE_CSNUMTAG 145s/0h of 27181 corpus (19321s/7860h FT) 02/13/06 +#counts SARE_CSNUMTAG 1s/0h of 27479 corpus (21834s/5645h MY) 02/13/06 +#counts SARE_CSNUMTAG 2429s/0h of 94330 corpus (54945s/39385h DOC) 02/13/06 +#counts SARE_CSNUMTAG 30s/0h of 7663 corpus (5437s/2226h AxB) 02/13/06 +#counts SARE_CSNUMTAG 9s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 + +rawbody __SARE_CSTRADE2 /trading/i +rawbody __SARE_CSTRADE3 /(?:all|next|this).?(month|week)/i +rawbody __SARE_CSTRADE4 /src\="cid/i + +meta SARE_CSTRADE5 (__SARE_CSTRADE2 && __SARE_CSTRADE3 && __SARE_CSTRADE4) +describe SARE_CSTRADE5 STOCK Attachments. +score SARE_CSTRADE5 0.52 +#counts SARE_CSTRADE5 0s/0h of 27479 corpus (21834s/5645h MY) 02/13/06 +#counts SARE_CSTRADE5 1s/0h of 7663 corpus (5437s/2226h AxB) 02/13/06 +#counts SARE_CSTRADE5 288s/0h of 27181 corpus (19321s/7860h FT) 02/13/06 +#counts SARE_CSTRADE5 39s/0h of 94330 corpus (54945s/39385h DOC) 02/13/06 +#counts SARE_CSTRADE5 3s/0h of 11699 corpus (6139s/5560h CT) 02/13/06 +#counts SARE_CSTRADE5 58s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 + +body SARE_CSSM /smart m.ney equ.{3}es/is +describe SARE_CSSM Smart Money Equities +score SARE_CSSM 1.66 + +#counts SARE_CSSM 383s/0h of 92359 corpus (52980s/39379h DOC) 02/09/06 +#counts SARE_CSSM 367s/0h of 27121 corpus (19266s/7855h FT) 02/09/06 +#counts SARE_CSSM 198s/0h of 60808 corpus (47084s/13724h ML) 02/11/06 +#counts SARE_CSSM 23s/0h of 11691 corpus (6130s/5561h CT) 02/09/06 +#counts SARE_CSSM 7s/0h of 6901 corpus (4676s/2225h AxB) 02/09/06 +#counts SARE_CSSM 0s/0h of 37286 corpus (31814s/5472h MY) 02/09/06 + +# Chris Santerre +# SpamAssassin RulesEmporium (SARE) +# +# Salty Stock Rules +# 10/18/06 +# Version: 2.51 +# +# These rules have been tested. +# They are meant to catch stock spams with inline gifs +# +# chris@uribl.com + +rawbody __MY_CID /src\=\"cid\:/i +describe __MY_CID SARE inline attached image +# avg S/O .85 + +rawbody __MY_CLOSING /\<\/FONT\>\<\/DIV\>\<\/BODY\>\<\/HTML\>/i +describe __MY_CLOSING font,div,body,html closing +# avg S/O .70 + +rawbody __MY_EMPTY_FONT /face\=Arial size\=.\>\<\/FONT\>\<\/DIV\>/i +describe __MY_EMPTY_FONT SARE Empty font tag +# avg S/O .78 + +rawbody __MY_ARIAL2 /face\=Arial size\=2\>/i +describe __MY_ARIAL2 SARE Arial font size 2 +# avg S/O .74 + +rawbody __MY_STYLE /\<STYLE\>\<\/STYLE\>/ +describe __MY_STYLE SARE Empty STYLE tags +# avg S/O Not tested seperetly. + +meta MY_CID_AND_ARIAL2 (__MY_CID && __MY_ARIAL2) +describe MY_CID_AND_ARIAL2 SARE CID and Arial2 +score MY_CID_AND_ARIAL2 1.46 +#counts MY_CID_AND_ARIAL2 27444s/94h of 89314 corpus (85178s/4136h AxB2) 10/16/06 +#counts MY_CID_AND_ARIAL2 13423s/0h of 256437 corpus (192643s/63794h ML) 10/16/06 +#counts MY_CID_AND_ARIAL2 6665s/139h of 250718 corpus (180406s/70312h DOC) 10/16/06 +#counts MY_CID_AND_ARIAL2 276s/98h of 8722 corpus (4334s/4388h AxB) 10/16/06 +#counts MY_CID_AND_ARIAL2 1513s/5h of 23589 corpus (16994s/6595h CT) 10/16/06 +#counts MY_CID_AND_ARIAL2 3004s/43h of 43545 corpus (34574s/8971h FVGT) 10/17/06 +# avg S/O 0.905 + +meta MY_CID_AND_CLOSING (__MY_CID && __MY_CLOSING) +describe MY_CID_AND_CLOSING SARE cid and closing +score MY_CID_AND_CLOSING 1.60 +#counts MY_CID_AND_CLOSING 6701s/27h of 89314 corpus (85178s/4136h AxB2) 10/16/06 +#counts MY_CID_AND_CLOSING 4864s/0h of 256437 corpus (192643s/63794h ML) 10/16/06 +#counts MY_CID_AND_CLOSING 4333s/31h of 250718 corpus (180406s/70312h DOC) 10/16/06 +#counts MY_CID_AND_CLOSING 117s/27h of 8722 corpus (4334s/4388h AxB) 10/16/06 +#counts MY_CID_AND_CLOSING 717s/1h of 23589 corpus (16994s/6595h CT) 10/16/06 +#counts MY_CID_AND_CLOSING 2531s/5h of 43545 corpus (34574s/8971h FVGT) 10/17/06 +# avg S/O 0.929 + +meta MY_CID_AND_STYLE (__MY_CID && __MY_STYLE) +describe MY_CID_AND_STYLE SARE cid and style +score MY_CID_AND_STYLE 1.54 +#counts MY_CID_AND_STYLE 41863s/84h of 89314 corpus (85178s/4136h AxB2) 10/16/06 +#counts MY_CID_AND_STYLE 20759s/0h of 256437 corpus (192643s/63794h ML) 10/16/06 +#counts MY_CID_AND_STYLE 10930s/278h of 250718 corpus (180406s/70312h DOC) 10/16/06 +#counts MY_CID_AND_STYLE 296s/87h of 8722 corpus (4334s/4388h AxB) 10/16/06 +#counts MY_CID_AND_STYLE 1800s/2h of 23589 corpus (16994s/6595h CT) 10/16/06 +#counts MY_CID_AND_STYLE 4453s/59h of 43545 corpus (34574s/8971h FVGT) 10/17/06 +# avg S/O 0.918 + +meta MY_CID_FONT (__MY_CID && __MY_EMPTY_FONT) +describe MY_CID_FONT SARE cid and empty font +score MY_CID_FONT 0.92 +#counts MY_CID_FONT 269s/1h of 23587 corpus (16993s/6594h CT) 10/16/06 +#counts MY_CID_FONT 147s/1h of 8726 corpus (4336s/4390h AxB) 10/16/06 +#counts MY_CID_FONT 592s/1h of 89712 corpus (85572s/4140h AxB2) 10/16/06 +#counts MY_CID_FONT 3273s/0h of 256375 corpus (192586s/63789h ML) 10/16/06 +#counts MY_CID_FONT 116s/1h of 250747 corpus (180440s/70307h DOC) 10/16/06 +# avg S/O 0.984 + +meta MY_CID_ARIAL2_CLOSING (__MY_CID && __MY_ARIAL2 && __MY_CLOSING) +describe MY_CID_ARIAL2_CLOSING SARE cid arial2 closing +score MY_CID_ARIAL2_CLOSING 1.63 +#counts MY_CID_ARIAL2_CLOSING 6554s/14h of 89314 corpus (85178s/4136h AxB2) 10/16/06 +#counts MY_CID_ARIAL2_CLOSING 4065s/0h of 256437 corpus (192643s/63794h ML) 10/16/06 +#counts MY_CID_ARIAL2_CLOSING 3969s/2h of 250718 corpus (180406s/70312h DOC) 10/16/06 +#counts MY_CID_ARIAL2_CLOSING 116s/14h of 8722 corpus (4334s/4388h AxB) 10/16/06 +#counts MY_CID_ARIAL2_CLOSING 600s/1h of 23589 corpus (16994s/6595h CT) 10/16/06 +#counts MY_CID_ARIAL2_CLOSING 1614s/0h of 43545 corpus (34574s/8971h FVGT) 10/17/06 +# avg S/O 0.962 + +meta MY_CID_ARIAL_STYLE (__MY_CID && __MY_ARIAL2 && __MY_STYLE) +describe MY_CID_ARIAL_STYLE SARE cid arial2 style +score MY_CID_ARIAL_STYLE 1.58 +#counts MY_CID_ARIAL_STYLE 27427s/39h of 89314 corpus (85178s/4136h AxB2) 10/16/06 +#counts MY_CID_ARIAL_STYLE 12497s/0h of 256437 corpus (192643s/63794h ML) 10/16/06 +#counts MY_CID_ARIAL_STYLE 6470s/97h of 250718 corpus (180406s/70312h DOC) 10/16/06 +#counts MY_CID_ARIAL_STYLE 276s/41h of 8722 corpus (4334s/4388h AxB) 10/16/06 +#counts MY_CID_ARIAL_STYLE 1489s/1h of 23589 corpus (16994s/6595h CT) 10/16/06 +#counts MY_CID_ARIAL_STYLE 2222s/28h of 43545 corpus (34574s/8971h FVGT) 10/17/06 +# avg S/O 0.951 + +#EOF + diff --git a/common/sare/72_sare_bml_post25x.cf b/common/sare/72_sare_bml_post25x.cf new file mode 100644 index 0000000..5ee9676 --- /dev/null +++ b/common/sare/72_sare_bml_post25x.cf @@ -0,0 +1,285 @@ +# SARE "Biz_Market_Learn" Ruleset for SpamAssassin 2.5x and higher +# Version: 01.02.03 # The BML set has been renamed to match SARE's updated standards, the new name is 72_sare_bml_post25x.cf +# Created: 2004-03-21 +# Modified: 2007-05-21 +# Changes: Fixed date format and a small typo in the college scam rules +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Matt Yackley - bml@rulesemporium.com +# Current Home: http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf +# Requirements: SpamAssassin 2.5x or higher +# SA 3.0 compliant: Yes +# +#### + +############################### +# header rules # +############################### + +header SARE_ALC ALL =~ /improve your/i +describe SARE_ALC Some header matches /improve your/i +score SARE_ALC 1.405 +# Original name: ALC_2 +# 153s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/1h of 15929 corpus (13729s/2200h) 03/21/04 + +header SARE_SUBLRNMR Subject =~ /learn more/i +describe SARE_SUBLRNMR Learn more in Subject +score SARE_SUBLRNMR 0.638 +# Original name: MY_S_LRNMR +# 15s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 1s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +header SARE_SUBRATES Subject =~ /low rates/i +describe SARE_SUBRATES The Subject line talks about low rates +score SARE_SUBRATES 0.636 +# Original name: MY_RATES_SUBJ +# 29s/1h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +header SARE_SUBSTOCK Subject =~ /\bstock.?market\b/i +describe SARE_SUBSTOCK Stock Market Spam +score SARE_SUBSTOCK 1.666 +# Original name: STOCK_SPAM +# 365s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 11s/0h of 15929 corpus (13729s/2200h) 03/21/04 + + +############################### +# body rules # +############################### + +body SARE_FWDLOOK /\bforward.?looking\b/i +describe SARE_FWDLOOK Forward looking statements about stocks +score SARE_FWDLOOK 1.666 +# Original name: FWD_STOCK +# 1146s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 68s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_XPNDMRKT /expand.{0,20}your.{0,20}market/i +describe SARE_XPNDMRKT Talks about expanding your market +score SARE_XPNDMRKT 0.375 +# Original name: FVGT_b_EXPANDMARKET +# 36s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/1h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_SELLYOUR /SELL.{0,20}YOUR/ +describe SARE_SELLYOUR SELL * YOUR in caps +score SARE_SELLYOUR 0.333 +# Original name: FVGT_b_SELLYOUR +# 6s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/0 + +body SARE_URGBIZ /urgent.{0,16}(?:assistance|business|buy|confidential|notice|proposal|reply| request|response)/i +describe SARE_URGBIZ Contains urgent matter +score SARE_URGBIZ 0.725 +# Original name: FVGT_b_URGENT_BIZ +# 468s/7h of 119325 corpus (98981s/20344h) 03/21/04 +# 61s/1h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_ONDEAL /on this deal/i +describe SARE_ONDEAL Phrase, On this deal +score SARE_ONDEAL 0.222 +# Original name: MY_ON_DEAL +# 8s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 1s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_NETPROD /internet product/i +describe SARE_NETPROD Phrase, Internet Product. +score SARE_NETPROD 0.111 +# Original name: MY_INT_PROD +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 2s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_GENUINEOP /genuine .{0,10}.?opportunity/i +describe SARE_GENUINEOP Genuine oppurtunity +score SARE_GENUINEOP 0.055 +# Original name: MY_GENUINE +# 1s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_WEOFFER /we offer/i +describe SARE_WEOFFER Offers Something +score SARE_WEOFFER 0.300 +# Original name: MY_WE_OFFER +# 1737s/90h of 119325 corpus (98981s/20344h) 03/21/04 +# 175s/18h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_LOANOFF /loan officers?/i +describe SARE_LOANOFF No one needs Loan officers anymore +score SARE_LOANOFF 0.611 +# Original name: MY_LOANOFF +# 10s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 17s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_DIPLOMA2 /your diploma|online degrees?|degrees? online/i +describe SARE_DIPLOMA2 Talks about online degrees or diplomas +score SARE_DIPLOMA2 0.900 +# Original name: MY_DIPLOMA +# 280s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 89s/2h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_FINCLOP /(?:internet|financial) (?:success|opportunit(?:y|ies))/i +describe SARE_FINCLOP Talks about financial or internet opportunity. +score SARE_FINCLOP 0.633 +# Original name: MY_FINCL_OP +# 58s/3h of 119325 corpus (98981s/20344h) 03/21/04 +# 72s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_MILLIONSOF /\bmillions of\b/i +describe SARE_MILLIONSOF Millions of something. +score SARE_MILLIONSOF 0.315 +# Original name: MY_MILLIONS +# 879s/62h of 119325 corpus (98981s/20344h) 03/21/04 +# 129s/9h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_MONEYTERMS /(?:financing available|bankruptcy|(?:build(ing)?|increase|more).{1,10}wealth|(?:fast|concerning) (the )?(?:cash|money)|unclaimed|your dept|money you need)/i +describe SARE_MONEYTERMS Talks about money in some way. +score SARE_MONEYTERMS 0.681 +# Original name: MY_MONEY_TERMS +# 1505s/17h of 119325 corpus (98981s/20344h) 03/21/04 +# 227s/9h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_VALOFFR /valuable offers?/i +describe SARE_VALOFFR Talks about valuable offers. +score SARE_VALOFFR 1.666 +# Original name: MY_VAL_OFR +# 497s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 233s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_FASTAPPRV /(?:instant|immediate|fast) approval/i +describe SARE_FASTAPPRV Talks about quick approval +score SARE_FASTAPPRV 0.325 +# Original name: MY_INSTANT +# 70s/3h of 119325 corpus (98981s/20344h) 03/21/04 +# 21s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_HOMELOAN /(?:refi|home) (equity|loan)/i +describe SARE_HOMELOAN Home mortgage stuff +score SARE_HOMELOAN 0.415 +# Original name: MY_HOME +# 649s/13h of 119325 corpus (98981s/20344h) 03/21/04 +# 147s/3h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_PRODUCT /product offerings?/i +describe SARE_PRODUCT Talks about product offerings. +score SARE_PRODUCT 0.333 +# Original name: MY_PRODUCTS +# 23s/2h of 119325 corpus (98981s/20344h) 03/21/04 +# 45s/1h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_NTWKMRKT /network marketing/i +describe SARE_NTWKMRKT Network marketing, pyramid scheme. +score SARE_NTWKMRKT 0.691 +# Original name: MY_NETMARK +# 49s/1h of 119325 corpus (98981s/20344h) 03/21/04 +# 55s/2h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_BIZOP /business opportunit(ies|y)/i +describe SARE_BIZOP Biz op could be legit, but often isn't. +score SARE_BIZOP 0.700 +# Original name: MY_BIZOP +# 213s/6h of 119325 corpus (98981s/20344h) 03/21/04 +# 81s/5h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_UNQBIZ /unique business/i +describe SARE_UNQBIZ Talks about unique business +score SARE_UNQBIZ 0.315 +# Original name: MY_UNQBIZ +# 2s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 1s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_DEGREETALK /legitimate.{1,35}(associate|bachelor|master|doctor).{1,35}degree/i +describe SARE_DEGREETALK Yaps about "legitimate" college degrees +score SARE_DEGREETALK 1.000 +# 4s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +############################### +# uri rules # +############################### + +uri SARE_SNAPSHUT /www\.(?:snapshut|contra)\.info/ +describe SARE_SNAPSHUT An open-and-shut case of Spam! +score SARE_SNAPSHUT 2.0 +# 32s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/04 + + +############################### +# OBFU body rules # +############################### + +#body SARE_OBFUAUCTION /(?!\bauctions?\b)(?:\b[a4]|\B(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[uv\*\xB5\xD9-\xDC\xF9-\xFC]|\xC5[\xA8-\xB3]|\xC6[\xAF-\xB0]|\xC7[\x93-\x9C]|\xCE\xB0|\xCE\xBC|\xCF\x8B|\xCF\x8D|\xD4\xB1|\xD5\x84|\xD5\x8D)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[c\*\xC7\xE7\xA2\xA9]|\xC4[\x86-\x8D]|\xD0\xA1|\xD1\x81)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[t\+]|\xC5[\xA2-\xA7]|\xCE\xA4|\xCF\x84|\xD0\xA2|\xD1\x82)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)?\b/i +#describe SARE_OBFUAUCTION masked spam word(s) +#score SARE_OBFUAUCTION 1.666 +# Original name: RM_bwo_Auction +# 51s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 6s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +#body SARE_OBFUMONEY1 /(?!\bMoney\b)(?:\bm|\B(?:rn|\/V\\|\/\\\/\\|\xCE\x9C|\xD0\x9C|\xD0\xBC))[\x01-\x2F\\\^_;`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[e3\*\xC8-\xCB\xE8-\xEB]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_;`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:y\b|(?:[\xA5\xDD\xFD]|\xC5[\xB6-\xB8]|\xCE\x8E|\xCE\xA5|\xCE\xA8|\xCE\xAB|\xCE\xB3|\xD0\xA3|\xD1\x83|\xD1\x9E|\xD2[\xAE-\xB1])\B)/i +#describe SARE_OBFUMONEY1 masked spam word(s) +#score SARE_OBFUMONEY1 2.222 +# Original name: RM_bwo_Money +# 1145s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 66s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body SARE_OBFUMONEY2 /\b(?!mo(?:nk?|on)ey)m.?o.?n.?e.?y\b/i +describe SARE_OBFUMONEY2 masked spam word(s) +score SARE_OBFUMONEY2 1.000 +# Original name: RM_bwo_Money2 +# 836s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 51s/0h of 15929 corpus (13729s/2200h) 03/21/04 + + +############################### +# meta rules # +############################### + +body SARE_NONACCRED /non.{1,4}accredited/i +describe SARE_NONACCRED Talks about a non-accredited something +score SARE_NONACCRED 0.388 +# 180s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 7s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +body __SARE_PRESTIGE /get (?:the )?prestige/i +describe __SARE_PRESTIGE Talks about "getting prestige" + +body __SARE_ADMIR /benefits (?:and )?admiration/i +describe __SARE_ADMIR Talks about "benefits and admiration" + +body __SARE_DIPLOMA /university (?:diploma|degree)/i +describe __SARE_DIPLOMA Talks about "university diplomas" + +body __SARE_DEGREES /(?:\bmba\b|\bmasters?\b|\bbachelors?\b|\bdoctor(?:al|ate)\b|\bphd\b)/i +describe __SARE_DEGREES Enumerates or mentions degree types. + +body __SARE_LIFE_EXP /\blife experience\b/i +describe __SARE_LIFE_EXP Talks about "life experience" + +body __SARE_NOTESTS /no (?:required )?tests[\. ,!]/i +describe __SARE_NOTESTS No testing required + +body __SARE_PHONE_NUM /\(?\d\d\d\)?\D\d\d\d\D\d\d\d\d/i +describe __SARE_PHONE_NUM Contains a telephone number + +body __SARE_NOREJECT /no ?one (?:is )?turned down/i +describe __SARE_NOREJECT No one is turned down! + +meta SARE_COLLEGE_SCAM ((SARE_NONACCRED + __SARE_PRESTIGE + __SARE_LIFE_EXP + __SARE_DIPLOMA + __SARE_ADMIR + __SARE_NOTESTS + __SARE_PHONE_NUM + __SARE_NOREJECT + __SARE_DEGREES) > 2) +describe SARE_COLLEGE_SCAM Tries to sell you a "degree" +score SARE_COLLEGE_SCAM 3.5 +# 831s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 34s/0h of 15929 corpus (13729s/2200h) 03/21/04 + + +header __SARE_TOSALESAT To =~ /^sales\@/ +body __SARE_BADLOGOS /\bIo[gq]o(?:s)?\b/i +body __SARE_POORQUAL /gua[lI]ity/ +meta SARE_SNAPPYLOGOS (__SARE_TOSALESAT && (__SARE_BADLOGOS || __SARE_POORQUAL)) +describe SARE_SNAPPYLOGOS Get your free logos here! Only $49.95 each!! +score SARE_SNAPPYLOGOS 3.0 +# 29s/0h of 119325 corpus (98981s/20344h) 03/21/04 +# 0s/0h of 15929 corpus (13729s/2200h) 03/21/04 + +# EOF + diff --git a/common/sare/99_sare_fraud_post25x.cf b/common/sare/99_sare_fraud_post25x.cf new file mode 100644 index 0000000..0069405 --- /dev/null +++ b/common/sare/99_sare_fraud_post25x.cf @@ -0,0 +1,69 @@ +# SARE Fraud Ruleset for SpamAssassin 2.5x and higher +# Version: 01.03.02 # NOTE: Please update your scripts to pull this file from it's new location http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf +# Created: 03/09/2004 +# Modified: 05/01/2004 +# Changes: Added some more phrases +# License: Artistic - see http://www.rulesemporium.com/license.txt +# Current Maintainer: Matt Yackley - fraud@rulesemporium.com +# Current Home: http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf +# Requirements: SpamAssassin 2.5x or higher +# SA 3.0 compliant: Yes +# If you are running SpamAssassin 2.4x or earlier, you should run 99_sare_fraud_pre25x.cf instead. +# Since there some overlap with the pre-existing rules, we have included the option to turn off the default SpamAssassin rules +## + +body __SARE_FRAUD_BADTHINGS /(?:all funds will be returned|ass?ylum|assassinate|(?:auto|boat|car|plane|train).{1,7}(?:crash|accident|disaster|wreck)|before they both died|brutal acts|cancer|coup attempt|disease|due to the current|\bexile\b|\bfled|\bflee\b|have been frozen|impeach|\bkilled|land dispute|murder|over-invoice|political crisis|poisoned (?:to death )?by|relocate|since the demise|\bslay\b)/i +body __SARE_FRAUD_DPTCOMPNY /(?:allied irish bank|amsterdam clearing office|(?:bank|government) (of )?nigeria|charity organization|commerce world directory|correspondent branch|department of mineral resources and energy|diamond safari|embassy|finance and accounts director of inec|foreign contract tenders committee|global oil corporation|holding company|international (?:bank|court of justice)|mainland investment trust bank|mining corporation|ministry of (?:oil (?:and )?mini?eral|organisation worldwide|petroleum and natural resources|urban and rural development)|nigerian national petroleum corporation|prize award dept|securit(?:ies|y) (?:company|firm|storage house)|security & finance firm in amsterdam|sierra leone mining)/i +body __SARE_FRAUD_INTRO /(?:(?:may i first|to) introduce my ?self|contact address|i am contacting you)/i +body __SARE_FRAUD_REPLY /(?:confidential email|my secure email address|reply (?:me only|urgent)|(?:immediate|swift|urgent) (?:assist|reply|response))/i +body __SARE_FRAUD_LOC /\s(?:abidjan|algeria|angola|benin republic|bangladesh|botswana|c.te .{0,2}ivoire|congo|dubai|gabon|ghana|kogi|lagos|liberia|libya|malaysia|nigerian?|phill?ipp?ine.|qatar|republic.du.benin|republic.of.sahara|saharawi|senegal|sierra.leone|solomon islands|south.africa|togo(?:lese)?|u\.a\.e\.i\.|zimbabwe)\s/i +body __SARE_FRAUD_MISC /(?:a native of|as the beneficiary|compliments? of the season|confidentiality and professionalism|eagerly await|of (?:the|my) late|on information gathered about you, we believe|(?:relate|share) my testimony|remains unclaimed|several attempts have been made with out success|very big risk|you and your company|youre? country)/i +body __SARE_FRAUD_MONEY /(?:abandoned sum|(?:huge|substantial) amount of m[o0]ney|(?:transfer this fund|money transfer|transfer money)|(?:will share the money|your share.{1,10}(?:shall|sum|total|money|funds))|assets have been confiscated|be paid to you|claim a sum of|(?:claim|concerning) (?:the|this) money|family asset|foreign (?:offshore )?(?:bank|account)|how the money will be split|kick.{0,2}back|million usd|offer you a generous compensation|personal bank account|remains unclaimed|secure.{1,10}funds|the total sum|transferring (of|the) funds?|us.{1,9}million|win cash|you are.{0,8}winner|your (?:pr[i1]ze|share shall be))/i +body __SARE_FRAUD_PAPERWORK /(?:all necessary legal documents|covering documents|international passport|legal official protocol|letter of authority|Next of Kin Payment Application Form|provide immediately|writing this letter to solicit|vital documents)/i +body __SARE_FRAUD_VIPS /(?:(?:white|black|zimbabwean) farmers?|auditor general of the federal republic of nigeria|(?:former|late) (?:president of|.{0,20}minister)|head of state|nigerian gov|president of (the )?phillipine|principal advocate and solicitor)/i +body __SARE_FRAUD_FOREIGN /(?:(?:who was a|as a|an? honest|you being a|to any) foreigner|foreign (?:business partner|customer))/i +body __SARE_FRAUD_BARRISTER /(?:accredited agent|adviser to late|barrister|fiduciary agent|i am a private investigator|personal attorney to|relationship officer|solicit[oe]r)/i +body __SARE_FRAUD_FAMILY /(?:my late (?:husband|wife|brother|uncle|aunt|father|mother) (?:was|is|had|has)|locate(?: .{1,20})? extended relative|next of kin|the (?:eldest|oldest|youngest|first) son|the (?:wife|heir) (?:to|of))/i +body __SARE_FRAUD_RELIGION /(?:almighty god|as a born again christian|as a minister|call a prayer line|calvary greeting|eternity is a long t[io]me|fear of god|g[ai]ve.{1,15}life to christ|glorify god'?s name|god (?:has|have|will) forgiven? me|god gives .{1,10}second chance|god want(?:ed|s)? it|goodday pastor|hear from god|if you\'?re? not saved|in the (?:lord'?s name|name of (?:our|the) lord)|jesus is yours|money.{1,15}give.{1,15}ministry|new christian convert|pray daily|read(?:ing)? (?:the|your) bible|sinful habits|spend (?:.{1,20})in hell|the wish of god|true christian|wealth to god|your ministry)/i +body __SARE_FRAUD_TINHORN /\s(?:abacha|abubakar|ajobola|anigala|arap moi|aziz|bubenik|ewaen|gebarel|gezi|guei|gumbeze|ibiam|kabbahs|kabila|kamara|kazeem|margai|massaquoi|mbeki|mobutu|momoh|mubune|mugabe|obasanjo|okafor|olonga|olumuyiwa|omo(?:nigho|rodion)|rilwanu|savimbi|seko|tarlor|taylor|zaid|zwinginna)\s/i +body __SARE_FRAUD_TRUST /(?:(?:total(?:ly)?|very|strict(?:ly|est)|high(?:est|ly)?|intuitive|utmost) confiden(?:ce|t(?:ai|ia)l)|code of conduct|confidential (?:communications|telephone numbers)|(?:honest|honourable) (?:cooperation|partnership)|keep this matter|mutual understanding|reliable person|secrecy and confidentiality|secretly deposited|smooth transaction|to (?:assure you|redeem)|(?:the importance of|utmost) secrecy|transaction is .{1,15} risk free.|transparent honesty|trust (?:and|&) confidentiality|very honest person|your assurance)/i +body __SARE_FRAUD_AGREE /(?:(?:(?:negotiate|reasonable|acc?or?ding|certain|agg?ree).{1,20}percentage|percentage.{1,10}(?:indicat|previous|involved)|favou?rable response|your percentage will)|my proposal is acceptable|acceptable by you|said purposes within your country|total acceptance and commitment)/i +body __SARE_FRAUD_LOTTERY /(?:(?:international|luckyday|overseas stake|promo|world) lott(?:o|ery)|lott(?:o|ery) (?:co,?ordinator|international)|intl loteria|prize transfer agent|scientific game promo|award notification)/i +body __SARE_FRAUD_PROPOSE /(?:urgent and(?: very)? (?:profitable|confidential) business (?:proposal|proposition)|(?:financial|confiden(?:tial|ce)|safe|mutual|secret|success|risk-?free|details|business).{1,30}\btransaction|transaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee))/i +body __SARE_FRAUD_CONTACT /(?:your full names?,?(?:and|&)? full contact address|your(?: private)? (?:tele)?phone (?:and|&) fax numbers?|send .{1,30}\byour telefax numbers?)/i +body __SARE_FRAUD_FUNWORDS /(?:actualization|arising contigencies|bequest|discursions|magnanimity|modalities|non response|numbered time|(?:should|please) endeavor|receivership)/i +body __SARE_FRAUD_LOTTERY2 /(?:attached to ticket number|computer ballot system|drawn ?from.{0,10}\d{2,3},?\d{3}|second categories)/i +body __SARE_FRAUD_REFNUM /reff?\.?(?: number|no)? ?\:/i + +meta SARE_FRAUD_X3 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 2) +describe SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam +score SARE_FRAUD_X3 1.667 + +meta SARE_FRAUD_X4 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 3) +describe SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam +score SARE_FRAUD_X4 1.667 + +meta SARE_FRAUD_X5 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 4) +describe SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam +score SARE_FRAUD_X5 1.667 + +meta SARE_FRAUD_X6 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 5) +describe SARE_FRAUD_X6 Matches 6+ phrases commonly used in fraud spam +score SARE_FRAUD_X6 1.667 + + +############## +# Optional # +############## + +# score NIGERIAN_BODY1 0.0 +# score NIGERIAN_BODY2 0.0 +# score NIGERIAN_BODY3 0.0 +# score NIGERIAN_BODY4 0.0 +# score NIGERIAN_SCAM_VIRTUE 0.0 +# score NIGERIAN_SUBJECT1 0.0 +# score NIGERIAN_SUBJECT2 0.0 +# score NIGERIAN_BODY_GOVT_3 0.0 +# score NIGERIAN_SUBJECT6 0.0 + +# EOF \ No newline at end of file diff --git a/lists/user_prefs b/lists/user_prefs index 205ca3a..a94ff15 100644 --- a/lists/user_prefs +++ b/lists/user_prefs @@ -52,17 +52,17 @@ bayes_auto_learn_threshold_spam 27 # SARE-rules (http://www.rulesemporium.com/rules.htm) ################################################################ -include /var/list/.spamassassin/sare-rules/70_sare_adult.cf -include /var/list/.spamassassin/sare-rules/70_sare_header0.cf -include /var/list/.spamassassin/sare-rules/70_sare_header1.cf -include /var/list/.spamassassin/sare-rules/70_sare_html0.cf -include /var/list/.spamassassin/sare-rules/70_sare_html1.cf -include /var/list/.spamassassin/sare-rules/70_sare_oem.cf -include /var/list/.spamassassin/sare-rules/70_sare_specific.cf -include /var/list/.spamassassin/sare-rules/70_sare_stocks.cf -include /var/list/.spamassassin/sare-rules/72_sare_bml_post25x.cf -include /var/list/.spamassassin/sare-rules/75_black_uri_list.cf -include /var/list/.spamassassin/sare-rules/99_sare_fraud_post25x.cf +#include /var/list/.spamassassin/sare-rules/70_sare_adult.cf +#include /var/list/.spamassassin/sare-rules/70_sare_header0.cf +#include /var/list/.spamassassin/sare-rules/70_sare_header1.cf +#include /var/list/.spamassassin/sare-rules/70_sare_html0.cf +#include /var/list/.spamassassin/sare-rules/70_sare_html1.cf +#include /var/list/.spamassassin/sare-rules/70_sare_oem.cf +#include /var/list/.spamassassin/sare-rules/70_sare_specific.cf +#include /var/list/.spamassassin/sare-rules/70_sare_stocks.cf +#include /var/list/.spamassassin/sare-rules/72_sare_bml_post25x.cf +#include /var/list/.spamassassin/sare-rules/75_black_uri_list.cf +#include /var/list/.spamassassin/sare-rules/99_sare_fraud_post25x.cf ################################################################ @@ -78,6 +78,26 @@ include /var/list/.spamassassin/newer-rules/60_whitelist_dk.cf include /var/list/.spamassassin/newer-rules/70_iadb.cf include /var/list/.spamassassin/newer-rules/80_additional.cf +include common/sare/70_sare_adult.cf +include common/sare/70_sare_header0.cf +include common/sare/70_sare_header1.cf +include common/sare/70_sare_header2.cf +include common/sare/70_sare_header3.cf +include common/sare/70_sare_header.cf +include common/sare/70_sare_header_eng.cf +include common/sare/70_sare_html0.cf +include common/sare/70_sare_html1.cf +include common/sare/70_sare_html2.cf +include common/sare/70_sare_html3.cf +include common/sare/70_sare_html4.cf +include common/sare/70_sare_html.cf +include common/sare/70_sare_oem.cf +include common/sare/70_sare_specific.cf +include common/sare/70_sare_spoof.cf +include common/sare/70_sare_stocks.cf +include common/sare/72_sare_bml_post25x.cf +include common/sare/99_sare_fraud_post25x.cf + # Include common spam stuff include common/common_spam