#FROM SA/MD/SARE LISTS - All consider public domain or fair use. #BY Warren Sallade" for Drug Spams #DISABLING DUE TO FALSE POSITIVES 2021-09-14 rawbody __EWG_BAD34 />\s{0,3}V\s{0,3}\s{0,3}I\s{0,3}\s{0,3}A\s{0,3}\s{0,3}G\s{0,3}\s{0,3}R\s{0,3}\s{0,3}A\s{0,3} 5) describe EWG_VIAGRA Viagra Obfuscation SPAM score EWG_VIAGRA 1.0 rawbody __EWG_BAD41 />\s{0,3}C\s{0,3}\s{0,3}I\s{0,3}\s{0,3}A\s{0,3}\s{0,3}L\s{0,3}\s{0,3}I\s{0,3}\s{0,3}S\s{0,3} 5) describe EWG_CIALIS Cialis Obfuscation spam score EWG_CIALIS 1.0 rawbody __EWG_BAD48 />\s{0,3}V\s{0,3}\s{0,3}A\s{0,3}\s{0,3}L\s{0,3}\s{0,3}I\s{0,3}\s{0,3}U\s{0,3}\s{0,3}M\s{0,3} 5) describe EWG_VALIUM Valium Obfuscation Spam score EWG_VALIUM 1.000 #FOR CURRENT RND_UC_CHAR SPAMS header SUBJ_RND_UC_CHAR_L Subject =~ /\%RND_UC_CHAR/ describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag score SUBJ_RND_UC_CHAR_L 5.0 header SUBJ_RND_UC_CHAR Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/ describe SUBJ_RND_UC_CHAR Subject fits RND_UC_CHAR pattern score SUBJ_RND_UC_CHAR 1.0 uri PHARMACOURT_BIZ /\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i describe PHARMACOURT_BIZ Includes a link to spammer www.pharmacourt.biz score PHARMACOURT_BIZ 3.0 #meta HABEAS_VIOLATOR_LOCAL (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE) #describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark #score HABEAS_VIOLATOR_LOCAL 16.0 rawbody UAH_VIAGRA_IMAGE /^
<\!--[a-zA-Z0-9]{10,20}--><\/a><\/center>$/i describe UAH_VIAGRA_IMAGE Viagra Image score UAH_VIAGRA_IMAGE 3.0 #INVALID QMAIL header GERMANSPAM MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/ describe GERMANSPAM Contains German Spam / Invalid Qmail Message ID score GERMANSPAM 3.0 #GOOGLE Who really uses the "I'm Feeling Lucky" button anyway? by John Wilcock uri local_GOOGLE_LUCKY /(?:\bgoogle\b).+(?:&btnI=)/i describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky score local_GOOGLE_LUCKY 2.0 #ZD.NET's OPEN REDIR by Raymond Dijkxhoorn uri PROLO_REDIR_ZDNET_CHECK_1 /http:\/\/.*chkpt.zdnet.com\/chkpt/ score PROLO_REDIR_ZDNET_CHECK_1 8.0 describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body #TINYTEXT by Jonathan Maliepaard #describe TINY_TEXT_1 Body includes very small html text #rawbody TINY_TEXT_1 /FONT-SIZE: (?:1|1.5|2|2.5|3)px/i #score TINY_TEXT_1 1.5 #describe TINY_TEXT_2 Body includes very small html text #rawbody TINY_TEXT_2 /FONT-SIZE: (?:1|1.5|2|2.5|3)\;/i #score TINY_TEXT_2 1.5 #HABEAS MARK TOO OFTEN FORGED #REMOVED FOR 3.0SA #score HABEAS_SWE 0.0 #patch to MS Outlook 2003 has changed the headers #REMOVED FOR 3.0SA #score FORGED_MUA_OUTLOOK 0.00 #SCORE ADJUSTMENTS #REMOVED FOR 3.0SA #score RCVD_IN_NJABL_DIALUP 1.5 #REMOVED FOR 3.0SA #score RCVD_IN_DYNABLOCK 1.0 #REMOVED FROM RULES score DNS_FROM_OPENWHOIS 2.0 # # Abusive public hosting Raymond Dijkxhoorn # uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/.*uk\.geocities\.com\// score PROLO_PUBWEB_UKGEO_CHECK1 5.0 describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body uri PROLO_PUBWEB_ITGEO_CHECK1 /^http:\/\/.*it\.geocities\.com\// score PROLO_PUBWEB_ITGEO_CHECK1 5.0 describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http:\/\/.*www\.geocities\.com\// score PROLO_PUBWEB_WWWGEO_CHECK1 5.0 describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body uri PROLO_HOSTING_PROHOSTING_CHK1 /^http:\/\/.*prohosting\.com\// score PROLO_HOSTING_PROHOSTING_CHK1 5.0 describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body uri PROLO_HOSTING_XTHOST_CHK1 /^http:\/\/.*xthost\.info\// score PROLO_HOSTING_XTHOST_CHK1 5.0 describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body uri PROLO_HOSTING_NET4FREE_CHK1 /^http:\/\/.*net4free\.org\// score PROLO_HOSTING_NET4FREE_CHK1 5.0 describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body #Raymond's SA Rules for Tripod Spams from Leo body PROLO_LEO1 /85\,45|1\,21/ body PROLO_LEO2 /69\,95|3\,33/ body PROLO_LEO3 /99\,95|3\,75/ uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/ meta PROLO_LEO_M1 (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4) score PROLO_LEO1 0.1 score PROLO_LEO2 0.1 score PROLO_LEO3 0.1 score PROLO_LEO4 0.1 score PROLO_LEO_M1 8 describe PROLO_LEO1 Meta Catches all Leo drug variations so far describe PROLO_LEO2 Meta Catches all Leo drug variations so far describe PROLO_LEO3 Meta Catches all Leo drug variations so far describe PROLO_LEO4 Meta to catch Leo now using Tripod describe PROLO_LEO_M1 Catches all Leo drug variations so far #JUNK SCORES TO RECREATE ROUNDING BUG #score RDNS_NONE 0.0 #header TEMP Received =~ /64.18.1.27/ #score TEMP -0.5 #score KAM_LIVE 0.0 #DFS Rule for Warning: Malformed MIME virus in the wild 10-10-2013 full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i full __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i meta RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header score RP_ZIP_ECTYP 15 #AXB TEXTAREA rawbody __AXB_RAW_TXTRO1 /\