# SB-CONTENTPATTERNS.RC
#
#  The old PATTERNMATCHING filters gathered in a safe
#  place by themselves.  :)  The PATTERNMATCHING variable
#  controls how these work and are scored. You can disable
#  these patterns entirely if you do not want to use this
#  type of filtering, or control what the score given to
#  matches is.

# SECTION 1: "STRONG" PATTERNS
#
#  The patterns in this section are for types of spam that
#  are relatively reliably caught using patterns that do not
#  generate any significant number of false positives.  Email
#  caught using one of these patterns is scored at SPAMLEVEL
#  if PATTERNMATCHING=SPAM or PATTERNMATCHING=MIXED is set,
#  and at BLOCKLEVEL if PATTERNMATCHING=BLOCK is set.

# Bogus URL Spam
#
# Last reported spam: 10/22/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Patterns to catch various types of malformatted URLs
#     in spam.  Spammers do this to obfuscate the URL to
#     humans or filters looking at the source code of their
#     spams, or to take advantage of browser bugs.
#
TESTNAME='Bogus URL'
TESTPATTERNS=${SBDIR}/grey/bogus-url-patterns.rc
TESTLAST=20051022
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=5 }

:0
* PATTERNMATCHING ?? ^MEDIUM$
{ TESTSCORE=8 }

:0
* PATTERNMATCHING ?? ^HIGH$
{ TESTSCORE=10 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc


# Penis Enlargement Patterns
#
# Last reported spam: 4/15/06
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Patterns to catch "enlarge <organ-of-your-choice>!" spam.
#
TESTNAME='Penis Enlargement'
TESTPATTERNS=${SBDIR}/grey/penis-enlargement-patterns.rc
TESTLAST=20051022
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=5 }

:0
* PATTERNMATCHING ?? ^MEDIUM$
{ TESTSCORE=8 }

:0
* PATTERNMATCHING ?? ^HIGH$
{ TESTSCORE=10 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# "Replica" (Knockoff) Spam
#
# Last reported spam: 10/22/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/18/04:
#     Long-time spammer has gotten much more prolific
#     lately. :/
#
#   10/29/04:
#     Moved into replica Cartier, then replica handbags...
#     What next?
#
#   10/15/05:
#     This might have been one spammer a couple of years
#     ago, but it's a bunch of them now. Spam for people
#     pushing replicas or knockoffs of famous brands,
#     such as Rolex watches, is all over the place.
#
# Status: Active Spammer
#
TESTNAME='Replica/Knockoff'
TESTPATTERNS=${SBDIR}/grey/replicarolex-patterns.rc
TESTLAST=20051022
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=5 }

:0
* PATTERNMATCHING ?? ^MEDIUM$
{ TESTSCORE=8 }

:0
* PATTERNMATCHING ?? ^HIGH$
{ TESTSCORE=10 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Stock Pumping Spam
#
# Last reported spam: 11/11/05
# Data files last updated: 11/11/05
#
# Other Relevant Info:
#
#   4/04/05:
#     This isn't a single spammer, but a whole class of
#     spam characterized by promotion of specific stocks
#     in hopes that people will buy and the stock price
#     thereby go up.  The spammer makes his/her money off
#     of the increased stock price rather than directly
#     from victims. This means that stock pumping spam
#     does not need to have any valid contact information
#     for the spammer, making it hard to catch/stop.
#
# Status: Active Spammer
#
TESTNAME='Stock Pumping'
TESTPATTERNS=${SBDIR}/grey/stock-pumping-patterns.rc
TESTLAST=20051111
TESTUPDATED=20051111

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=5 }

:0
* PATTERNMATCHING ?? ^MEDIUM$
{ TESTSCORE=8 }

:0
* PATTERNMATCHING ?? ^HIGH$
{ TESTSCORE=10 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc


# SECTION 2: "WEAK" PATTERNS
#
#  The patterns in this section are for types of spam that
#  are fairly prolific, but for which a pattern matching
#  filter is more problematic and more likely to lead to
#  false positives.  Email caught using these patterns is scored
#  at SPAMLEVEL only if PATTERNMATCHING=SPAM, and at BLOCKLEVEL if
#  PATTERNMATCHING=MIXED or PATTERNMATCHING=BLOCK is set.

# Cable TV/Digital Descrambler Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Spam trying to sell black boxes to steal Cable TV
#     or Digital Satellite TV signals. :/
#
TESTNAME='Cable/Digital Descrambler'
TESTPATTERNS=${SBDIR}/grey/cable-tv-descrambler-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Chain Letter Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Those idiotic chain letters, been around since
#     *paper* mail was invented, probably.
#
TESTNAME='Chain Letter'
TESTPATTERNS=${SBDIR}/grey/chain-letter-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Diploma Mill Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Scammers selling worthless educational services and
#     degrees.
#
TESTNAME='Diploma Mill'
TESTPATTERNS=${SBDIR}/grey/diploma-mill-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# HTML Spam Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Patterns typical of/common to HTML spam.
#
TESTNAME='HTML Patterns'
TESTPATTERNS=${SBDIR}/grey/html-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# MMF/Online Business Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Those stupid Make*Money*Fast/Online Business spams
#     that offer to sell you a "system" to make a fortune
#     with no effort.  The "system" in question is either
#     worthless, or consists of telling you how to scam
#     other fools into paying money for a system. <wry grin>
#
:0
* ! FROMEMAIL ?? ^(list_admin@lockergnome\.com)$
* ! ^X-SBRule:.*[^0-9a-z]Stock Pumping
{
 TESTNAME='MMF/Online Business'
 TESTPATTERNS=${SBDIR}/grey/mmf-onlinebiz-patterns.rc
 TESTLAST=20051015
 TESTUPDATED=20051015

 :0
 * PATTERNMATCHING ?? ^LOW$
 { TESTSCORE=3 }

 :0
 * PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
 { TESTSCORE=5 }

 INCLUDERC=${SBDIR}/functions/identify-patterns.rc
}

# Mortgage Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Spam selling cheap mortgages.
#
TESTNAME='Mortgage'
TESTPATTERNS=${SBDIR}/grey/mortgage-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Online Gambling Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Spam advertising online gambling services.  (Illegal
#     in many locales.)
#
TESTNAME='Online Gambling'
TESTPATTERNS=${SBDIR}/grey/online-gambling-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Pharmacy Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Spam advertising online gambling services.  (Illegal
#     in many locales.)
#
TESTNAME='Drug/Pharmacy'
TESTPATTERNS=${SBDIR}/grey/pharmacy-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# URL Spam Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Patterns typical of/common to spam URLs, but less
#     certain than those in the Bogus URLs recipe.
#
TESTNAME='Spammy URL'
TESTPATTERNS=${SBDIR}/grey/url-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# Work-From-Home Spam Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Work-From-Home scams.
#
TESTNAME='Work From Home'
TESTPATTERNS=${SBDIR}/grey/work-from-home-patterns.rc
TESTLAST=20051015
TESTUPDATED=20051015

:0
* PATTERNMATCHING ?? ^LOW$
{ TESTSCORE=3 }

:0
* PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
{ TESTSCORE=5 }

INCLUDERC=${SBDIR}/functions/identify-patterns.rc

# XXX/Porn Patterns
#
# Last reported spam: 10/15/05
# Data files last updated: 10/15/05
#
# Other Relevant Info:
#
#   10/15/05:
#     Pornography.  Although pornography is NOT equal to
#     spam, so many porn sites spam like crazy (and use
#     spyware and trojans, and do other scummy things)
#     that a general XXX/Porn pattern is quite useful
#     in catching spam.  If you get legitimate email of
#     a sexually explicit nature, especially legitimate
#     bulk email like a mailing list, better whitelist it. :)
#
:0
* ! FROMEMAIL ?? ^(itunes@([0-9a-z][-_0-9a-z]+\.)+itunes\.com|\
                   newsletter@liquidgeneration\.com|\
                   newsletters@livedaily\.com|\
                   atomfilms@([0-9a-z][-_0-9a-z]+\.)+shockwave\.com)$
{
 TESTNAME='XXX/Porn'
 TESTPATTERNS=${SBDIR}/grey/xxx-porn-patterns.rc
 TESTLAST=20051015
 TESTUPDATED=20051015

 :0
 * PATTERNMATCHING ?? ^LOW$
 { TESTSCORE=3 }

 :0
 * PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
 { TESTSCORE=5 }

 INCLUDERC=${SBDIR}/functions/identify-patterns.rc
}

# ASCII Art Patterns
#
# Last reported spam: 12/15/05
# Data files last updated: 12/15/05
#
# Other Relevant Info:
#
#   12/15/05:
#  Some of the online drug/pharmacy spammers, are using
#  ASCII art to try to avoid spam filters. This recipe
#  will detect patterns that are characteristic of
#  ASCII art and score the email acordingly.
#
:0
* ! FROMEMAIL ?? ^(itunes@([0-9a-z][-_0-9a-z]+\.)+itunes\.com|\
                   newsletter@liquidgeneration\.com|\
                   newsletters@livedaily\.com|\
                   atomfilms@([0-9a-z][-_0-9a-z]+\.)+shockwave\.com)$
{
 TESTNAME='ASCII Art'
 TESTPATTERNS=${SBDIR}/grey/ascii-art-patterns.rc
 TESTLAST=20051215
 TESTUPDATED=20051215

 :0
 * PATTERNMATCHING ?? ^LOW$
 { TESTSCORE=3 }

 :0
 * PATTERNMATCHING ?? ^(MEDIUM|HIGH)$
 { TESTSCORE=5 }

 INCLUDERC=${SBDIR}/functions/identify-patterns.rc
}