# SARE Spammer URI Rule Set for SpamAssassin - file 3 # Version: 01.01.03 # Created: 2004-09-13 # Modified: 2005-10-05 # Usage instructions and documentation are found in 70_sare_uri0.cf #@@# Revision History: Full Revision History stored in 70_sare_uri.log #@@# 01.01.03: Oct 05 2005 #@@# Minor score updates based on additional mass-check #@@# Archived from file 3: SARE_URI_NUMASP8 #@@# Archived from file 3: SARE_URI_PERV #@@# Moved file 3 to file 4: SARE_URI_NUM_SUBDOM #@@# Renamed __SARE_BODY_BLANKS_5_100 to __SARE_BODY_BLNK_5_100 # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Bob Menschel - uri@rulesemporium.com # Current Home: http://www.rulesemporium.com/rules/70_sare_uri3.cf ######## ###################### ################################################## # Rule definitions to avoid --lint errors on archived/moved rules. ######## ###################### ################################################## meta SARE_URI_NUMASP8 0 meta SARE_URI_PERV 0 meta SARE_URI_NUM_SUBDOM 0 ######## ###################### ################################################## # Category: Sub-rules needed by others ######## ###################### ################################################## uri __SARE_URI_ANY /./ #hist __SARE_URI_ANY Murty Rompalli, 2005-01-03 body __SARE_BODY_BLNK_5_100 eval:check_blank_line_ratio('5','100') #hist __SARE_BODY_BLNK_5_100 Murty Rompalli, 2005-01-03 meta __SARE_META_MURTY3 (__SARE_URI_ANY && __SARE_BODY_BLNK_5_100) #hist __SARE_META_MURTY3 Murty Rompalli, 2005-01-03 ######## ###################### ################################################## # Category: URI links identified by spammer words ######## ###################### ################################################## uri SARE_URI_DIET m'http://[^/]*diet\.'i describe SARE_URI_DIET body contains link to probable spammer score SARE_URI_DIET 0.117 #ham SARE_URI_DIET southbeachdiet.com #hist SARE_URI_DIET Created by Bob Menschel May 29 2004 #counts SARE_URI_DIET 114s/69h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_URI_DIET 147s/0h of 66948 corpus (41731s/25217h RM) 09/05/04 #counts SARE_URI_DIET 22s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 #counts SARE_URI_DIET 1s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #max SARE_URI_DIET 14s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04 #counts SARE_URI_DIET 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 #counts SARE_URI_DIET 9s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_URI_DIET 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05 uri SARE_URI_OPTOUT /optout\.php/i describe SARE_URI_OPTOUT Unsubscribe at this link score SARE_URI_OPTOUT 0.611 #ham SARE_URI_OPTOUT valid forward of a newsletter than used this unsubscribe link #hist SARE_URI_OPTOUT Fred Tarasevicius - FU_PAGE_OPT_OUT #counts SARE_URI_OPTOUT 188s/13h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_URI_OPTOUT 802s/0h of 114212 corpus (81067s/33145h RM) 01/19/05 #counts SARE_URI_OPTOUT 27s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #counts SARE_URI_OPTOUT 16s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 #max SARE_URI_OPTOUT 23s/0h of 31513 corpus (27912s/3601h MY) 03/09/05 #counts SARE_URI_OPTOUT 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 #counts SARE_URI_OPTOUT 10s/9h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_URI_OPTOUT 0s/1h of 7500 corpus (1767s/5733h ft) 09/18/05 ######## ###################### ################################################## # Category: URI links identified by spammer names ######## ###################### ################################################## uri SARE_URI_MAILDD /\@mail\d+\.com/i describe SARE_URI_MAILDD Email header points to possible spam source score SARE_URI_MAILDD 0.306 #hist SARE_URI_MAILDD Created by Bob Menschel Aug 20 2004 #counts SARE_URI_MAILDD 13s/3h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_URI_MAILDD 26s/0h of 61459 corpus (36652s/24807h RM) 08/24/04 #counts SARE_URI_MAILDD 3s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 #max SARE_URI_MAILDD 6s/0h of 19448 corpus (16863s/2585h MY) 09/06/04 #counts SARE_URI_MAILDD 6s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #max SARE_URI_MAILDD 9s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04 #counts SARE_URI_MAILDD 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 ######## ###################### ################################################## # Category: URI links identified by technical attributes ######## ###################### ################################################## ######## ###################### ################################################## # Category: URI links identified by use of randomizing characters ######## ###################### ################################################## uri SARE_URI_4ALL /4all\.com/i describe SARE_URI_4ALL body contains link to known spammer score SARE_URI_4ALL 0.728 #hist SARE_URI_4ALL Created by Bob Menschel May 10 2004 #ham SARE_URI_4ALL http://www.genealogy4all.com #counts SARE_URI_4ALL 21s/0h of 689155 corpus (348140s/341015h RM) 09/18/05 #counts SARE_URI_4ALL 5s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 #max SARE_URI_4ALL 6s/0h of 19448 corpus (16863s/2585h MY) 09/06/04 #counts SARE_URI_4ALL 3s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #max SARE_URI_4ALL 8s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04 #counts SARE_URI_4ALL 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 #counts SARE_URI_4ALL 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 #counts SARE_URI_4ALL 0s/6h of 7500 corpus (1767s/5733h ft) 09/18/05 uri SARE_URI_DOM_ENDU m{/u$}i describe SARE_URI_DOM_ENDU Domain has suspicious spammer-like format score SARE_URI_DOM_ENDU 0.213 #hist SARE_URI_DOM_ENDU Fred Tarasevicius - FU_ENDS_WITH_U #counts SARE_URI_DOM_ENDU 7s/4h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_URI_DOM_ENDU 137s/1h of 114212 corpus (81067s/33145h RM) 01/19/05 #counts SARE_URI_DOM_ENDU 13s/1h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #counts SARE_URI_DOM_ENDU 2s/0h of 57287 corpus (52272s/5015h MY) 09/22/05 #max SARE_URI_DOM_ENDU 7s/0h of 27707 corpus (24264s/3443h MY) 02/27/05 #counts SARE_URI_DOM_ENDU 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 #counts SARE_URI_DOM_ENDU 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05 ######## ###################### ################################################## # Category: URI links identified by web page/file names ######## ###################### ################################################## uri SARE_URI_CANCEL /\/cancel\.(?:htm|asp|pgp|cgi)/i describe SARE_URI_CANCEL Contains a likely spammer unsubscribe link score SARE_URI_CANCEL 0.027 #hist SARE_URI_CANCEL Bob Menschel expanded from RE_uws_CancelHtm Aug 29 2004 #ham SARE_URI_CANCEL restaurant's online reservation (and cancellation) URI #counts SARE_URI_CANCEL 3s/2h of 689155 corpus (348140s/341015h RM) 09/18/05 #max SARE_URI_CANCEL 7s/1h of 175589 corpus (98978s/76611h RM) 02/14/05 #counts SARE_URI_CANCEL 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05 #max SARE_URI_CANCEL 4s/0h of 19448 corpus (16863s/2585h MY) 09/06/04 #counts SARE_URI_CANCEL 2s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05 #counts SARE_URI_CANCEL 0s/0h of 682 corpus (290s/392h CRF) 02/16/05 # EOF