# SmiteSpam rule file - Wed 14/01/2004 14:20 # # THIS FILE MAY BE UPDATED AUTOMATICALLY! # # Report any low scoring spam, or high scoring letitimate mail to spamreport@netwinsite.com. # Targets for spam scoring - # Legitimate mail < 4 <= Spam # # Please do NOT submit mail from sources you have previously subscribed to that you simply don't wish to continue receiving. # If possible, submit the complete source to messages as attachments. Forwarded messages may loose some of the 'tricks' used # to hide the mail from the filters, or alter other characteristics that may be significant. # # Due to the volume of mail we receive, it is not always possible to reply to your messages. They are however considered for # addition to filtering rules. # # You can add your own rules or alter the values associated with specific by placing a labels by creating a file called # local.rul in the same directory as this file. # # To disable automatic updates of this file (not recommended), set in smitecrc.ini # FILTER_UPGRADE FALSE if(rexp_case("X-AntiAbuse", "Originator.Caller\ UID.GID\ -\ \[\d\ \d\]\ \/\ \[\d\ \d\]")) then setflag("__RATWARE_ANTIABUSE") end if if(rexp_case("X-Scanner", "exiscan")) then setflag("__RATWARE_EXISCAN") end if if(rexp_case("X-Mailer", "^Apple\ Mail\ \(\d\.\d+\)$")) then setflag("__X_MAILER_APPLEMAIL") end if if(rexp_case("Content-Type", "boundary=\"?-{10}")) then setflag("__BAT_BOUNDARY") end if if(rexp("Content-Type", "boundary")) then setflag("__CTYPE_HAS_BOUNDARY") end if if(rexp("Content-Type", "charset=\"")) then setflag("__CTYPE_CHARSET_QUOTED") end if if(rexp_case("Message-ID", "^<\d{2,12}\.\d{14}\@\S+>$")) then setflag("__BAT_MSGID") end if if(rexp_case("X-Mailer", "^\QThe\ Bat!\ (v2.\E")) then setflag("__THEBAT_MUA_V2") end if if(rexp_case("X-Mailer", "The\ Bat!")) then setflag("__THEBAT_MUA") end if if(rexp("From-addr", "\@aol\.com$")) then setflag("__AOL_FROM") end if if(exists("X-Mailing-List")) then setflag("__HAS_X_MAILING_LIST") end if if(exists("X-Loop")) then setflag("__HAS_X_LOOP") end if if(rexp_case("Message-ID", "^<(?:\d\d?\.){4,5}\d{14}\.[a-f0-9]{8}\@\S+>$")) then setflag("__EUDORA_MSGID") end if if(rexp_case("X-Mailer", "\bQUALCOMM\b")) then setflag("__ANY_QUALCOMM_MUA") end if if(rexp_case("X-Mailer", "\bEudora\s+(?:(?:Pro|Light)\s+)?Version\s+[1-4]\.\b")) then setflag("__OLD_EUDORA2") end if if(rexp_case("X-Mailer", "Eudora\s+Pro\s+Version\s+[1-4]\.\b")) then setflag("__OLD_EUDORA1") end if if(rexp_case("X-Mailer", "^Eudora\ \d+.\d+\ for\ PalmOS\b")) then setflag("__PALM_EUDORA_MUA") end if if(rexp_case("X-Mailer", "Eudora\ for\ (?:Macintosh|Mac\ OS\ X)")) then setflag("__MAC_EUDORA_MUA") end if if(rexp_case("X-Mailer", "\b(?:QUALCOMM|Eudora)\b")) then setflag("__EUDORA_MUA") end if if(rexp_case("Message-ID", "^<[A-P]{26}A[AB]\.[-_\w.]+\@\S+>$")) then setflag("__OIMO_MSGID") end if if(rexp_case("X-Mailer", "Outlook\ IMO")) then setflag("__OIMO_MUA") end if if(rexp_case("Message-ID", "^<\!\~\!")) then setflag("__OUTLOOK_MSGID_3") end if if(rexp_case("Message-ID", "^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$")) then setflag("__OUTLOOK_MSGID_2") end if if(rexp_case("Message-ID", "^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$")) then setflag("__OUTLOOK_MSGID_1") end if if(rexp_case("X-Mailer", "\bOutlook\b(?!\ IMO|\ Express\ (?:for\ )?Mac|,\ Build\ 11\.0\.)")) then setflag("__OUTLOOK_MUA") end if if(rexp_case("Message-ID", "^<[A-F\d]{36,40}\@\S+>$")) then setflag("__IMS_MSGID") end if if(rexp_case("X-Mailer", "Internet\ Mail\ Service")) then setflag("__IMS_MUA") end if if(rexp_case("X-Mailer", "\bAOL\b")) then setflag("__AOL_MUA") end if call rexp_fast_flag(0.000000, "human\ growth\ hormone\b", "__HG_HORMONE", "__HG_HORMONE") if(rexp("body", "(?:(?-i:HGH)|H.G.H)\b")) then setflag("__HG_HORMONE") end if call rexp_fast_flag(0.000000, "click\s.{0,30}(?:here|below)", "__CLICK_BELOW", "__CLICK_BELOW") call rexp_fast_flag(0.000000, "remov(?:e|al).{0,16}remov(?:e|al)", "__REMOVE_REMOVAL_NEAR", "__REMOVE_REMOVAL_NEAR") call rexp_fast_flag(0.000000, "Below\ is\ the\ result\ of\ your\ feedback\ form", "__BUGGY_CGI", "__BUGGY_CGI") if(rexp_case("X-Mailer", "^NMS\ FormMail\.pl.*v\d")) then setflag("__NMS_CGI_NOT_BUGGY") end if if(rexp_case("Message-ID", "^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$")) then setflag("__MOZILLA_MSGID") end if if(rexp_case("X-Mailer", "\bMozilla\b")) then setflag("__MOZILLA_MUA") end if if(rexp_case("Message-ID", "\(.*\)")) then setflag("__MSGID_COMMENT") end if if(rexp_case("Message-ID", "\S")) then setflag("__HAS_MSGID") end if if(rexp_case("Message-ID", "^<[^<>\\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\\ \t\n\r\x0b\x80-\xff]+>\s*$")) then setflag("__SANE_MSGID") end if if(rexp_case("Subject", "!!!")) then setflag("__PLING_PLING") end if if(rexp_case("Subject", "![^!]+!")) then setflag("__MANY_EXCLS") end if if(rexp_case("body", "\e\$B")) then setflag("__ISO_2022_JP_DELIM") end if if(rexp_case("From", "(?:hotmail|msn)\.com\b")) then setflag("__HAS_MSN_FROM") end if if(rexp_case("X-Originating-Email", "(?:hotmail|msn)\.com\b")) then setflag("__HAS_MSN_ORIG_EMAIL") end if if(rexp_case("Received", "\ by\ \S+\.(?:hotmail|msn)\.com\ with\ (?:HTTP|DAV)\;")) then setflag("__HAS_MSN_RCVD_DAV") end if if(rexp_case("X-Msmail-Priority", "^High")) then setflag("__X_MSPRI_HI") end if if(rexp_case("X-Priority", "^[12]")) then setflag("__X_PRI_HI") end if if(rexp("From-addr", "^[a-z](?:[a-z0-9]|[-._](?![-._])){0,62}[a-z0-9]\@juno\.com\b")) then setflag("__JUNO_FROM_VALID") end if if(rexp("From-addr", "\@juno\.com\b")) then setflag("__JUNO_FROM") end if if(rexp_case("Return-path-addr", "\d{3}.*\d{3}.*\@")) then setflag("__ID_RETURN_PATH") end if if(rexp_case("Reply-To-addr", "\d{3}.*\d{3}.*\@")) then setflag("__ID_REPLY_TO") end if if(rexp("From", "_\S?(?:[a-z]+\w*?\d+|\d+\w*?[a-z]+)\w*\@")) then setflag("__FROM_HAS_UNDERLINE_NUMS") end if if(rexp("Content-Type", "^text\/plain\b")) then setflag("__CT_TEXT_PLAIN") end if if(exists("MIME-Version")) then setflag("__MIME_VERSION") end if if(exists("Content-Transfer-Encoding")) then setflag("__CTE") end if if(exists("Content-Type")) then setflag("__CT") end if if(exists("Content-Disposition")) then setflag("__CD") end if if(rexp("head", "opt.?(?:in|out|oem|ed|ion-in|[\d@])(?:\b|\d|\@)")) then setflag("__OPT_HEADER_ALL") end if if(rexp("head", "^(?:Resent-)?Subject:.*opt.?(in|out|oem|ed|ion-in|[\d@])(?:\b|\d|\@)")) then setflag("__OPT_HEADER_SUBJ") end if if(rexp_case("Content-Type", "=\"(?:----_?=_)?NextPart_[\dA-F]{3}(_[\dA-F]{3,8})?_[\dA-F]{8}\.[\dA-F]{8}\"")) then setflag("__NEXTPART_NORMAL") end if if(rexp_case("Content-Type", "NextPart")) then setflag("__NEXTPART_ALL") end if if(exists("X-Priority")) then setflag("__HAS_X_PRIORITY") end if if(rexp_case("X-Mailer", "Microsoft\ (CDO|Outlook)\b")) then setflag("__HAS_OUTLOOK_IN_MAILER") end if if(exists("X-Mailer")) then setflag("__HAS_X_MAILER") end if if(rexp_case("X-Mailer", "SquirrelMail\b")) then setflag("__HAS_SQUIRRELMAIL_IN_MAILER") end if if(exists("X-MSMail-Priority")) then setflag("__HAS_MSMAIL_PRI") end if if(exists("X-MimeOLE")) then setflag("__HAS_MIMEOLE") end if if(rexp_case("Message-Id", "\@[a-z0-9.-]+\.(?:yahoo|wanadoo)(?:\.[a-z]{2,3}){1,2}>")) then setflag("__MSGID_BEFORE_OKAY") end if if(rexp("head", "\nMessage-Id:.*\nReceived:")) then setflag("__MSGID_BEFORE_RECEIVED") end if if(rexp_case("From-addr", "^\d{3}(?:[-.]?\d{3}[-.]?\d{4}|\d{7})\@")) then setflag("__FROM_PHONE") end if if(rexp_case("From-addr", "^\d+\@")) then setflag("__FROM_JUST_NUMBER") end if call rexp_fast(1000.000000, "XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X", "Generic Test for Unsolicited Bulk Email") if(rexp_case("X-Mailer", "EVAMAIL")) then call spamdetect(2.900000, "Bulk email fingerprint (EVAMAIL) found") end if call rexp_fast(2.900000, "add\ up\ to\ \S+(?:\ \S+)?\ or\ more", "Has add/lose/make/save up to X or more") call rexp_fast(2.900000, "lose\ up\ to\ \S+(?:\ \S+)?\ or\ more", "Has add/lose/make/save up to X or more") call rexp_fast(2.900000, "make\ up\ to\ \S+(?:\ \S+)?\ or\ more", "Has add/lose/make/save up to X or more") call rexp_fast(2.900000, "save\ up\ to\ \S+(?:\ \S+)?\ or\ more", "Has add/lose/make/save up to X or more") call rexp_fast(1.538000, "free\ leads\b", "Free Leads") if(rexp_case("X-Mailer", "2\.0-b55-VC_IPA")) then call spamdetect(2.900000, "Bulk email fingerprint (VC_IPA) found") end if if(rexp_case("urls", "\/logic\/[a-z]{2}\.pl")) then call spamdetect(2.900000, "Spam URL pattern, DailyPromotions redirect") end if if(rexp("urls", "(?:freehost|yada)china\.com")) then call spamdetect(2.900000, "Frequent Spam content") end if call rexp_fast(1.799000, "cents\ on\ the\ dollar\b", "Cents on the Dollar") call rexp_fast(1.356000, "additional\ income\b", "Additional Income") if(rexp("body", "(?-i:F)ree\ installation")) then call spamdetect(1.225000, "Contains 'free installation' with capitals") end if if(exists("X-Stormpost-To")) then call spamdetect(2.900000, "Message has X-Stormpost-To header") end if call rexp_fast(2.200000, "contains\ forward-looking\ statements\b", "Stock Disclaimer Statement") call rexp_fast(1.453000, "take\ action\ now!", "Tells you to 'take action now!'") call rexp_fast(2.900000, "our\ overwhelming\ growth", "Mentions their overwhelming growth") if(rexp("urls", "http:\/\/(?:pxe|fx)\.")) then call spamdetect(2.900000, "Spam URL pattern, DailyPromotions server link") end if if(rexp_case("X-Mailer", "StormPost")) then call spamdetect(2.900000, "Bulk email fingerprint (StormPost) found") end if if(exists("To")) then if(rexp_case("To", "^\s*$")) then call spamdetect(1.600000, "To: is empty") end if end if call rexp_fast(2.900000, "xxx\ photos?\b", "Possible Porn - XXX Photos") if(rexp("body", "\d+\+?\ xxx\ pictures\b")) then call spamdetect(2.900000, "Possible Porn - XXX Photos") end if if(rexp_case("X-Mailer", "PowerCampaign")) then call spamdetect(2.900000, "Bulk email fingerprint (PowerCampaign) found") end if call rexp_fast(2.900000, "our\ privacy\ policy\ can\ be\ found", "Mentions where their privacy policy is") if(rexp_case("Received", "by\ email.qves.com\ with\ Microsoft")) then call spamdetect(2.900000, "Sent by a known spamhaus (qves)") end if if(exists("X-VMP-Text")) then call spamdetect(2.900000, "Message has X-VMP-Text header") end if if(rexp_case("Message-ID", "^")) then call spamdetect(0.196000, "Message-Id header indicates message is spam") end if call rexp_fast(0.555000, "toner[-\s]+cartridge", "Contains 'Toner Cartridge'") call rexp_fast(0.555000, "ink(?:[-\s]*jet)?[-\s]+cartridge", "Contains 'Toner Cartridge'") call rexp_fast(0.555000, "fax[-\s]+cartridge", "Contains 'Toner Cartridge'") call rexp_fast(0.555000, "copier[-\s]+cartridge", "Contains 'Toner Cartridge'") call rexp_fast(1.966000, "sex[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "gay[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "slut[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "whore[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "cum[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "suck[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "adult[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "xxx[\ -]?fest\b", "Possible adult material - Porn Fest") call rexp_fast(1.966000, "teen[\ -]?fest\b", "Possible adult material - Porn Fest") if(rexp("body", "f[\.\*u][\.\*c]k[\ -]?fest\b")) then call spamdetect(1.966000, "Possible adult material - Porn Fest") end if if(rexp_case("X-Mailer", "^X-Mailer:\ ")) then call spamdetect(2.900000, "Bulk email fingerprint (screwup 1) found") end if if(rexp_case("body", "\{%RAND%\}")) then call spamdetect(2.900000, "RAND found, spammer tried to use a random-ID") end if if(exists("To")) then if(rexp_case("To", "(?:^\@|<\@|\ \@[^\)<]*$|<>)")) then call spamdetect(1.662000, "To: has no local-part before @ sign") end if end if if(rexp_case("X-Info", "service\ to\ abuse\@azoogle\.com$")) then call spamdetect(2.900000, "From azoogle.com, azogle.com, etc.") end if if(rexp("head", "\bbtamail\.net\.cn")) then call spamdetect(2.900000, "Header contains an address from btamail.net.cn") end if if(rexp_case("urls", "^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]")) then call spamdetect(0.211000, "Uses control sequences inside a URL hostname") end if call rexp_fast(2.900000, "you\ registered\ at\ one\ of\ our", "Claims you registered at their site") if(rexp("To", "(?:yourdomain|you|your|(?]$")) then call spamdetect(2.900000, "References header has bad format") end if call rexp_fast(2.900000, "vip\ membership", "Possible Porn - Porn membership") call rexp_fast(2.900000, "adult\ membership", "Possible Porn - Porn membership") call rexp_fast(2.900000, "porn\ membership", "Possible Porn - Porn membership") if(rexp("body", "x.rated\ membership")) then call spamdetect(2.900000, "Possible Porn - Porn membership") end if call rexp_fast(2.900000, "our\ strict\ anti", "Mentions their strict antipathy on something") call rexp_fast(2.900000, "order\ report\ .\s?\d\ from", "Order a report from someone") if(rexp_case("body", "^\w+\^\S+\(\w{2,3}\b")) then call spamdetect(2.900000, "Message seems to contain rot13ed address") end if call rexp_fast(2.799000, "no\ inventory\b", "No Inventory") call rexp_fast(2.900000, "no\ credit\ check\b", "No Credit Check") call rexp_fast(0.800000, "not\ (?:MLM|multi.level.marketing)\b", "Apparently, NOT Multi Level Marketing") call rexp_fast(2.900000, "not\ a\ registered\ investment\ advisor", "Not registered investment advisor") if(rexp_case("Content-Type", "charset=.?DEFAULT")) then call spamdetect(2.900000, "Character set doesn't exist") end if call rexp_fast(2.900000, "never\ receive\ another\ mailing", "'another mailing' will 'never' be 'received'") if(rexp_case("Message-ID", "<0000[0-9a-f]{8}\$0000[0-9a-f]{4}\$0000[0-9a-f]{4}\@")) then call spamdetect(4.400000, "Spam tool Message-Id: (12-zeroes variant)") end if if(rexp_case("Message-ID", "^<\d\d\d\d\d\d[a-z]\d[a-z][a-z]\d\d\$[a-z][a-z][a-z]\d\d\d\d\d\$\d\d\d\d\d\d\d\d\@")) then call spamdetect(4.300000, "Spam tool Message-Id: (99x9xx99 variant)") end if if(rexp_case("Message-ID", "<[0-9][0-9][0-9][a-f]..[a-f]..[a-f].[a-f]\$[0-9a-f]{4}[a-f].[a-f].\$.[a-f][a-f]..[a-f][a-f].\@[a-z]{6}>")) then call spamdetect(2.900000, "Spam tool Message-Id: (6-letter variant)") end if if(rexp_case("Message-ID", "<[0-9a-f]{12,12}\$[0-9a-f]{8,8}\$[0-9a-f]{8,8}\@>")) then call spamdetect(2.900000, "Message-Id generated by a spam tool") end if if(rexp_case("Message-Id", "")) then call spamdetect(1.747000, "Message-Id was added by a hotmail.com relay") end if if(rexp_case("Message-ID", "^]")) then call spamdetect(3.659000, "Subject: contains Korean unsolicited email tag") end if if(rexp_case("Subject", "\e\$B.*(?:L\$>5Bz|EE;R%a!<%k)9-9p")) then call spamdetect(2.900000, "Subject contains a Japanese UCE tag") end if call rexp_fast(2.900000, "H\.\s*R\.\s*3113", "Mentions Spam law 'HR 3113'") call rexp_fast(2.900000, "hidden\ assets", "'Hidden' assets") if(rexp("body", "\bh[a\@]rd[\ -]?core\ .{0,9}(?:teen|virgin|cheerleader|amat(?:eu|ue)r)|\bextreme\ h[a\@]rdcore")) then call spamdetect(2.900000, "Possible adult material - Hardcore Porn") end if if(rexp("From-addr", "\@\S*offers(?![eo]n\b)")) then call spamdetect(4.300000, "From address is 'at something-offers'") end if if(rexp("From-addr", "^\d\S+\@(?:msn\.com|flashmail\.com|mailexcite\.com|prodigy\.net|yahoo\.\S+|hotmail\.com|eudoramail\.com|aol\.com|excite\.com|email\.com|earthlink\.net|geocities\.com|hknetmail\.com|angelfire\.com)")) then call spamdetect(1.106000, "From address is webmail, but starts with a number") end if call rexp_fast(2.613000, "free\ website", "Free Website") call rexp_fast(2.899000, "free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote", "Free express or no-obligation quote") call rexp_fast(1.425000, "free\ .{0,9}passwords?\b", "Offers Free (often stolen) Passwords") call rexp_fast(2.900000, "free\ investment", "Free Investment") if(rexp_case("Received", "from\ smtp(?:\d{1,2}|\d{4,})\.mail(?:\.[^\.]+|)\.yahoo\.com\ ")) then call spamdetect(2.899000, "Header contains forged Yahoo! SMTP server hostname") end if if(rexp_case("Received", "\.(?!br)..\ \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br\ ")) then call spamdetect(2.900000, "Contains forged hostname for a DSL IP in Brazil") end if if(rexp_case("Received", "from\ \S+\ \(\d+\ \[")) then call spamdetect(2.900000, "Received headers forged (numeric hostname)") end if if(rexp_case("Received", "^from\ mx\d+\.hotmail\.com\ ")) then call spamdetect(2.900000, "Forged hotmail.com Received 'from mx' header") end if if(rexp("To", "undisclosed[_\ ]*recipient(?:s[^:]|[^s])")) then call spamdetect(2.899000, "Faked To 'Undisclosed-Recipients'") end if if(rexp("Received", "from\ [-0-9a-z\._]+_\[\d+\.\d+\.\d+\.\d+\]\ ")) then call spamdetect(2.900000, "Received: contains a name with a faked IP-address") end if call rexp_fast(2.900000, "you\ have\ provided\ permission", "Claims you have provided permission") call rexp_fast(2.900000, "you\ are\ receiving\ this\ special\ offer", "You're receiving this offer for a reason") call rexp_fast(1.940000, "your\ e.?mail\ address\ was\ obtained", "Claims address was obtained legitimately") if(rexp_case("body", "\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b")) then call spamdetect(4.400000, "Body contains a ROT13-encoded email address") end if call rexp_fast(2.900000, "dig\ up\ information\b", "Dig up Dirt on Friends") if(rexp_case("Date", "^[A-Z][a-z]{2},\ \d\d\ [A-Z][a-z]{2}\ [0-6]\d\ \d\d:\d\d:\d\d\ [A-Z]{3}$")) then call spamdetect(4.500000, "Date header uses unusual Y2K formatting") end if call rexp_fast(2.900000, "creditors\ calling\b", "Calling Creditors") call rexp_fast(2.900000, "copy.{1,10}name.{1,10}address.{1,10}ACCURATELY\b", "Common pyramid scheme phrase (1)") call rexp_fast(0.982000, "confidential.{0,9}\ order", "Confidentiality on all orders") call rexp_fast(2.900000, "compete\ for\ your\ business\b", "Compete for your business") call rexp_fast(2.241000, "compare\ .{0,9}rates?\b", "Compare Rates") if(rexp("head", "\@china\.com")) then call spamdetect(2.899000, "Involves 'china.com'") end if if(rexp("urls", "btamail\.net\.cn")) then call spamdetect(2.900000, "Frequent Spam content") end if call rexp_fast(2.900000, "amateur\ .{0,9}(?:sex|porn|star|sites?|college|babes|action|pics|trash|gang|rape)|\b(?:real|best)\ amateur", "Possible adult material - Amateur Porn") call rexp_fast(0.398000, "your\ income\b", "Doing something with my income") if(rexp_case("X-Priority", "^1")) then call spamdetect(1.495000, "Sent with 'X-Priority' set to high") end if if(rexp_case("X-Msmail-Priority", "^High")) then call spamdetect(0.500000, "Sent with 'X-Msmail-Priority' set to high") end if if(exists("X-Library")) then call spamdetect(1.403000, "Message has X-Library header") end if if(exists("x-esmtp")) then call spamdetect(0.218000, "Message has x-esmtp header") end if call rexp_fast(0.621000, "WORK.{1,10}(?:AT|FROM)\ (?:YOUR\ )?HOME", "Information on how to work at home (1)") call rexp_fast(0.621000, "MAKE.{1,10}(?:MONEY|\$+|BUCKS|CASH).{1,10}(?:AT|FROM)\ (?:YOUR\ )?HOME", "Information on how to work at home (1)") call rexp_fast(0.621000, "EARN.{1,10}(?:MONEY|\$+|BUCKS|CASH).{1,10}(?:AT|FROM)\ (?:YOUR\ )?HOME", "Information on how to work at home (1)") call rexp_fast(0.356000, "why\ wait\b", "What are you waiting for") call rexp_fast(0.356000, "what\ are\ you\ waiting\ for\b", "What are you waiting for") call rexp_fast(2.746000, "while\ you\ sleep\b", "While you Sleep") call rexp_fast(0.140000, "while\ supplies\ last\b", "While Supplies Last") call rexp_fast(1.691000, "we\ promise\ .{0,9}you", "Promise you ...!") call rexp_fast(1.101000, "honou?r(?:\ all)?\ remov(?:e|al)\ requests?\b", "Claims to honor removal requests") call rexp_fast(1.101000, "respect(?:\ all)?\ remov(?:e|al)\ requests?\b", "Claims to honor removal requests") if(rexp_case("body", "[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}")) then call spamdetect(1.373000, "Weird repeated double-quotation marks") end if if(rexp("urls", "^https?://[^/\s]+?:\d+(?|^\s*$)")) then call spamdetect(0.345000, "To: has a malformed address") end if end if if(rexp_case("To-addr", "\s")) then call spamdetect(0.492000, "To: address contains spaces") end if if(rexp("To", "^\s*\"([^\"@]+\@[^\"@]+)\"\s+<\1>\s*$")) then call spamdetect(0.600000, "To: repeats address as real name") end if call rexp_fast(1.290000, "This.{0,30}is\ not\ (?:a\ )?spam", "Claims 'This is not spam'") call rexp_fast(1.640000, "the\ following\ form\b", "Asks you to fill out a form") call rexp_fast(3.254000, "the\ best\ rate", "The best Rates") call rexp_fast(1.686000, "targeted\ (?:traffic|e-?mail|internet|leads?)\b", "Targeted Traffic / Email Addresses") call rexp_fast(1.623000, "supplies\ are\ limited\b", "Supplies are Limited") if(rexp("Subject", "^hello\b")) then call spamdetect(0.872000, "Subject starts with 'Hello'") end if if(rexp("Subject", "^fre{2,}\b")) then call spamdetect(0.803000, "Subject starts with 'Free'") end if if(rexp("Subject", "Your\ Own")) then call spamdetect(0.391000, "Subject contains 'Your Own'") end if if(rexp("Subject", "Your\ (?:Bills|Debt|Credit)")) then call spamdetect(2.136000, "Subject contains 'Your Bills' or similar") end if if(rexp_case("Subject", "(?:\s{6}|\t\s|\s\t)\S")) then call spamdetect(1.581000, "Subject contains lots of white space") end if if(rexp("Subject", "^guaranteed|(?-i:GUARANTEE)")) then call spamdetect(2.895000, "Subject GUARANTEED") end if if(rexp_case("Subject", "FRE{2,}|F.R.E.E\b")) then call spamdetect(0.395000, "Subject contains 'FREE' in CAPS") end if if(rexp("Subject", "For\ Only")) then call spamdetect(0.773000, "Subject contains 'For Only'") end if if(rexp("body", "For\ Only")) then call spamdetect(0.100000, "Body contains 'For Only'") end if if(rexp_case("Subject", "^\$[0-9.,]+\b")) then call spamdetect(1.180000, "Subject starts with dollar amount") end if if(rexp("Subject", "^buy")) then call spamdetect(0.431000, "'Subject' starts with Buy, Buying") end if if(rexp("Subject", "\bAs\ Seen")) then call spamdetect(2.699000, "Subject contains 'As Seen'") end if call rexp_fast(2.440000, "subject\ to\ credit\ approval", "Contains 'subject to credit approval'") if(rexp("Subject", "approv(?:ed|al).?[.!*]")) then call spamdetect(1.223000, "Subject talks about being approved") end if call rexp_fast(2.172000, "stock\ alert", "Offers a alert about a stock") if(rexp_case("body", "S(?i:tart\ now)")) then call spamdetect(0.985000, "Talks about 'starting now' with capitals") end if call rexp_fast(1.567000, "serious\ cash\b", "Serious cash") call rexp_fast(0.764000, "we\ (?:have\ )?selected\ you", "They have selected you for something") call rexp_fast(2.283000, "seduc.{0,8}\ (?:ebook|opposite\ sex|women)\b", "Score with babes!") call rexp_fast(2.283000, "attract.{0,8}\ (?:ebook|opposite\ sex|women)\b", "Score with babes!") call rexp_fast(2.599000, "secretly\ record", "Secretly Recorded") if(rexp("body", "\b(?-i:S)ave\ up\ to\b")) then call spamdetect(0.267000, "Save Up To") end if call rexp_fast(2.332000, "save\ (?:thousands|millions)\b", "Save big money") call rexp_fast(2.799000, "save\ .{0,20}\bon\ (?:your\s+)?(?:auto|car|life|health|medical)?\ ?insurance\b", "Trying to sell insurance online") call rexp_fast(0.594000, "risk[\ -]free", "Risk free. Suuurreeee....") call rexp_fast(0.594000, "no[\ -]risk", "Risk free. Suuurreeee....") call rexp_fast(2.600000, "make\ you\ rich\b", "If only it were that easy") call rexp_fast(2.600000, "get\ rich\ quick\b", "If only it were that easy") call rexp_fast(4.300000, "reverse.{1,5}aging\b", "Reverses Aging") if(exists("Reply-To")) then if(rexp("Reply-To", "_\S?(?:[a-z]+\w*?\d+|\d+\w*?[a-z]+)\w*\@")) then call spamdetect(0.001000, "Reply-To: has an underline and numbers/letters") setflag("REPLY_TO_ULINE_NUMS") end if end if if(exists("Reply-To")) then if(rexp_case("Reply-To", "^\s*$")) then call spamdetect(0.065000, "Reply-To: is empty") end if end if call rexp_fast(0.412000, "reply.{1,15}remove.{1,15}subject", "List removal information") call rexp_fast(0.343000, "remove.{1,15}subject", "List removal information") call rexp_fast_flag(0.500000, "remov\S{0,16}\s+\S{0,16}remov", "List removal information", "REMOVE_REMOVAL_2WORD") call rexp_fast_flag(1.101000, "remov\S{0,64}remov", "List removal information", "REMOVE_REMOVAL_1WORD") if(rexp_case("urls", "^https?:\/\/[^\/]+\/.*?remove")) then call spamdetect(1.052000, "URL of page called 'remove'") end if call rexp_fast(0.001000, "\"remove\"", "List removal information") call rexp_fast(0.166000, "to\ be\ removed\ from\ (?:the|my|our)\ (?:mailing|e.?mail|opt[\ -]?in)?\ ?list", "To be removed from list") call rexp_fast(0.870000, "REMOVAL\ INSTRUCTIONS", "Gives instructions for removal from list") call rexp_fast(0.870000, "UNSUBSCRIBE\ INSTRUCTIONS", "Gives instructions for removal from list") call rexp_fast(2.012000, "time\ to\ refinance|refinanc\w{1,3}\b.{0,16}\bnow\b", "Home refinancing") call rexp_fast(1.101000, "receive\ special\ offer", "Receive a special offer") if(rexp("Received", "helo[=\ ]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")) then call spamdetect(1.271000, "Received: contains a numeric HELO") end if if(rexp_case("Received", "^from\ (?:msn|yahoo|yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)\.com\ \(")) then call spamdetect(2.063000, "Received contains a faked HELO hostname") end if call rexp_fast(0.701000, "ravages\ of\ aging", "Describes the ravages of aging") if(rexp_case("Received", "^from\ (?:(?:unknown|\d+\.\d+\.\d+\.\d+)\ \(\S+\)|\[\d+\.\d+\.\d+\.\d+\])\ by\ \S+\ with\ (?:esmtp|local|smtp);\ ")) then call spamdetect(4.300000, "Bulk email fingerprint ('esmtp' Received) found") end if if(rexp_case("X-Mailer", "^[A-Za-z0-9\._]{14,}$")) then call spamdetect(2.669000, "Bulk email fingerprint (hash 2 v2) found") end if call rexp_fast(2.396000, "claim.{0,9}\ prize", "Talks about prizes") call rexp_fast(1.263000, "Sign(?:ature)?\s*(?:here|please)?:.{0,30}___*", "Asks you for your signature on a form") call rexp_fast(0.898000, "prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities", "'Prestigious Non-Accredited Universities'") if(rexp_case("urls", "^https?:\/\/[\w\.-]*(?:xxx|(??\s*$")) then call spamdetect(0.500000, "From: does not include a real name") end if call rexp_fast(2.271000, "NO\ QUESTIONS\ ASKED\b", "Doesn't ask any questions") call rexp_fast(0.954000, "no\ obligation", "There is no obligation") call rexp_fast(1.012000, "No\ EXPERIENCE", "No experience needed!") call rexp_fast(0.801000, "You\ won'?t\ be\ diss?app?ointed", "You won't be 'disappointed'") call rexp_fast(0.692000, "no\ (?:cost|charge)\b", "No such thing as a free lunch (3)") call rexp_fast(2.799000, "there\ is\ no\ catch", "There is no catch") call rexp_fast(2.900000, "not\ intended\ for\ residents\ (?:of|in)\b", "Not intended for residents of somewhere") if(rexp("urls", "^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+")) then call spamdetect(0.427000, "Uses a dotted-decimal IP address in URL") end if if(rexp("Subject", "^(?:Re:|\[.{1,10}\])?\s*(?:very\ )?urgent\s+(?:(?:and|&)\s+)?(?:confidential|assistance|business|attention|reply|response|help)\b")) then call spamdetect(2.900000, "Subject is indicative of a Nigerian spam") end if if(rexp("Subject", "^(?:Re:|\[.{1,10}\])?\s*(?:(?:very\ )?URGENT|ATTENTION)\s*$")) then call spamdetect(0.029000, "Subject is indicative of a Nigerian spam") end if call rexp_fast(1.399000, "by\ virtue\ of\ its\ nature\ as\ being\ utterly\ confidential", "Possible Nigerian Scam Text") call rexp_fast(2.199000, "new\ .{0,15}\bextension", "Possible registry spammer") call rexp_fast(1.947000, "horniest\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "nasty\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "nastiest\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "hottest\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "wildest\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "slutty\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.947000, "xxx+\b.{0,9}\b(?:girl|women|teen|babe)", "Possible adult material - Nasty Girls") call rexp_fast(1.920000, "must\ be\ (?:at\ least|over)\ 18\b", "Possible adult material - Must be 18") if(rexp_case("Message-ID", "\@>(?:$|\s)")) then call spamdetect(0.381000, "Message-Id has no hostname") end if call rexp_fast(0.567000, "Mortgage\ rates", "Information on mortgage rates") call rexp_fast(1.001000, "mortgage\ (?:rates?|quotes?|approv(?:al|ed)|payment|interest|loans?|app(?:\b|lication))", "Looks like mortgage pitch") call rexp_fast(1.100000, "low(?:est|er)?\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "free\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "second\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "rate\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "best\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "refinanc(?:e|ing)\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "online\ mortgage", "Information on mortgages") call rexp_fast(1.100000, "instant\ mortgage", "Information on mortgages") call rexp_fast(2.799000, "money\ mak(?:ing|er)", "Discusses money making") call rexp_fast(1.101000, "money\ back\ guarantee", "Money back guarantee") call rexp_fast(2.133000, "MLM\b", "Multi Level Marketing mentioned") call rexp_fast(2.133000, "multi.level.marketing\b", "Multi Level Marketing mentioned") if(rexp_case("Content-Type", "boundary=\"[\dA-F]{24}\"")) then call spamdetect(1.462000, "Spam tool pattern in MIME boundary") end if if(rexp_case("Content-Type", "boundary=\d{9}\.\d{13}")) then call spamdetect(2.399000, "Spam tool pattern in MIME boundary") end if if(rexp_case("Content-Type", "boundary=\"_-{10}=_\d{19,22}\"")) then call spamdetect(1.182000, "Spam tool pattern in MIME boundary") end if call rexp_fast(0.365000, "Million\b.{0,40}\b(?:United\ States?\ Dollars?|USD)", "Talks about millions of dollars") call rexp_fast(2.499000, "million\ (?:\w+\ )?(?:e-?mail\ )?addresses", "Get a million email addresses") call rexp_fast(1.090000, "meet\ .{0,12}singles|thousands\ of\ personal", "Meet Singles") call rexp_fast(2.010000, "marketing\ partner|\bpartner\ (?:web)?site", "Claims you registered with a partner") call rexp_fast(2.010000, "network\ partner|\bpartner\ (?:web)?site", "Claims you registered with a partner") if(rexp("urls", "^mailto:[a-z]+\d{2,}\@")) then call spamdetect(0.496000, "Includes a link to a likely spammer email") end if if(rexp("urls", "^mailto:.*?remove")) then call spamdetect(0.855000, "Includes a 'remove' email address") end if if(rexp("rawbody", "mailto:.{0,64}\@.{0,64}\?subject=(?:\"|3D)*(?:remove?|delete|please.?(?:delete|remove|unsubscribe)|abuse|off\b|stop|take.?me.?off)")) then call spamdetect(0.831000, "mailto URI includes removal text") end if call rexp_fast(0.146000, "believe\ your\ eyes\b", "Will not Believe your Eyes!") call rexp_fast(1.934000, "luxury\ car\b", "Luxury Car") call rexp_fast(0.089000, "low.{0,4}\ (?-i:P)rice", "Lowest Price") call rexp_fast(1.610000, "reduce.{0,12}\ payment", "Lower Monthly Payment") call rexp_fast(1.610000, "low.{0,12}\ payment", "Lower Monthly Payment") call rexp_fast(0.058000, "low.{0,20}\ interest\ rates?\b", "Lower Interest Rates") if(rexp("body", "\b(?:\d{1,3}[,\.])+\d{3}.{0,20}\b(?:pics|pictures|images|photos|movies)")) then call spamdetect(0.446000, "Thousands or millions of pics/movies/etc") end if if(rexp("Subject", "\bLose\ .*(?:pounds|lbs|weight)")) then call spamdetect(2.899000, "Subject talks about losing pounds") end if call rexp_fast(0.072000, "lo+se.{1,10}\d+.{1,3}(?:lb|pound|kg|kilo)", "Describes weight loss") call rexp_fast(3.605000, "Body\ Fat\ Loss", "Describes body fat loss") call rexp_fast(3.605000, "Loss\ of\ body\ fat", "Describes body fat loss") call rexp_fast(3.605000, "lose.{1,10}body\ fat", "Describes body fat loss") call rexp_fast(1.638000, "Unlimited.{1,9}Long\ Distance", "Long Distance Phone Offer") call rexp_fast(1.638000, "per\ minute.{1,9}Long\ Distance", "Long Distance Phone Offer") call rexp_fast(1.638000, "free.{1,9}Long\ Distance", "Long Distance Phone Offer") call rexp_fast(2.233000, "live\ .{0,9}(?:fuck(?:ing)?|sex|naked|girls?|virgins?|teens?|porno?)\b", "Possible adult material - Live Porn") if(rexp("rawbody", "\s+href=['\"]?www\.")) then call spamdetect(0.452000, "Contains link without http:// prefix") end if call rexp_fast(0.478000, "LIMITED\ TIME\ (?:ONLY|offer)", "Offers a limited time offer") if(rexp_case("body", "[0-9a-fA-F]{70,}")) then call spamdetect(0.633000, "Contains a large block of hexadecimal code") end if call rexp_fast(2.900000, "temple\ kiff", "Contains 'Temple Kiff'") call rexp_fast(2.599000, "join\ (?:millions|thousands)\b", "Join Millions of Americans") if(rexp_case("body", "My\ wife,\ Jody")) then call spamdetect(2.900000, "Contains 'My wife, Jody' testimonial") end if if(rexp_case("body", "Mi\ esposa,\ Jody")) then call spamdetect(2.900000, "Contains 'My wife, Jody' testimonial") end if call rexp_fast(2.900000, "invaluable\ marketing\ information", "Invaluable marketing information") if(rexp_case("Date", "[-+](?:1[4-9]\d\d|[2-9]\d\d\d)$")) then call spamdetect(1.746000, "Invalid Date: header (timezone does not exist)") end if if(exists("Date")) then if(!rexp_case("Date", "^\s*(?:(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\ )?[0-3\ ]?[0-9]\ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\ (?:[12][901])?[0-9]{2}\ [0-2][0-9](?:\:[0-5][0-9]){1,2}\ (?:[+-][0-9]{4}|UT|[A-Z]{2,3}T)(?:\s+\(.*\))?\s*$")) then call spamdetect(0.042000, "Invalid Date: header (not RFC 2822)") end if end if call rexp_fast(2.799000, "initial\ investment\b", "Requires Initial Investment") call rexp_fast(1.784000, "increased?.{0,9}(?:sex|stamina)", "Talks about a bigger drive for sex") call rexp_fast(3.415000, "impotence\ (?:problem|cure|solution)", "Impotence cure") call rexp_fast(3.415000, "Premature\ Ejaculation", "Impotence cure") call rexp_fast(3.415000, "erectile\ dysfunction", "Impotence cure") if(rexp_case("urls", "^https?\:\/\/\S+=[-_\+a-z0-9\.]+\@[-_\+a-z0-9\.]+\.[-_\+a-z0-9]{2,3}(?:\&|\s)")) then call spamdetect(1.0, "'remove' URL contains an email address") end if if(rexp("urls", "^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])")) then call spamdetect(0.153000, "Completely unnecessary %-escapes inside a URL") end if if(rexp_case("urls", "^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]")) then call spamdetect(1.101000, "Uses %-escapes inside a URL's hostname") end if if(rexp("urls", "https?://[^\s\">/]*\&\#[\da-f]+")) then call spamdetect(1.059000, "URI obscured with character entities") end if if(rexp("body", "\b(?=[dehklnswxy])(?:horny|nasty|hot|wild|young|horniest|nastiest|hottest|wildest|youngest|naughty|dirtiest|slutty|kinky|lusty|extreme|xxx+)\b.{0,9}\b(?=[acfghilmpsvx])(?:virgin|asian|cheerleader|sex|selection|fuck|fucking|anal\b|lesb(?:ian|o)|incest|chicks?|pics|movies|video|gay\b|porn|h[a\@]rdcore|schoolgirls|amateur|slut|adult|cum|xxx|sites?|hotties|shit)")) then call spamdetect(0.214000, "Possible adult material - Hot, Nasty, Wild, Young") end if call rexp_fast(0.054000, "HOME.{0,10}(?:\ EMPLOYMENT|WORKER|BUSINESS)", "Information on how to work at home (2)") if(rexp("rawbody", "<[^>]+onMouseOver=[^>]+window\.status=")) then call spamdetect(0.157000, "Javascript to hide URLs in browser") end if if(rexp("body", "\b(?=[gnrt])(?:thinn?ing|restore|grow|new)\ hair|\bhair\ loss")) then call spamdetect(1.563000, "Cures Baldness") end if call rexp_fast(1.944000, "guarantee.{0,15}(?:income|money|monthly)\b", "Guaranteed Stuff") call rexp_fast(1.101000, "100%\ GUARANTEED", "One hundred percent guaranteed") if(rexp_case("body", "GUARANTEE\b")) then call spamdetect(2.155000, "Contains word 'guarantee' in all-caps") end if call rexp_fast(0.867000, "get\ started\ (?-i:N)ow\b", "Get Started Now") call rexp_fast(2.499000, "get\ (?-i:P)aid\b", "Get Paid") call rexp_fast(0.679000, "get\ it\ (?-i:N)ow", "Contains 'Get it now' with capitals") if(rexp("Subject", "\b(?:[a-z]([-_.\ =~\/:,*!\@\#\$\%\^&+;\"\'<>])\1{0,2}){4,}")) then call spamdetect(2.326000, "Subject: contains G.a.p.p.y-T.e.x.t") end if if(rexp_case("rawbody", "FrontPage.Editor")) then call spamdetect(1.594000, "Frontpage used to create the message") end if if(rexp("From-addr", "\d\d\d\d\d\d\@(?:aol|msn|bigfoot|compuserve|excite|hotmail|juno|prodigy|yahoo)\.(?:com|net|org)")) then call spamdetect(0.989000, "From webmail service and address ends in numbers") end if if(rexp_case("From", "^\d\d")) then call spamdetect(0.390000, "From: starts with nums") end if if(exists("From")) then if(rexp_case("From", "(?:^\@|<\@|\ \@[^\)<]*$|<>)")) then call spamdetect(2.226000, "From: has no local-part before @ sign") end if end if if(!rexp_case("From", "[a-z]")) then call spamdetect(1.599000, "'From' has no lower-case characters") end if if(rexp("From-addr", "^[a-z]+\d+[a-z]+\d+[a-z]+\w*\@")) then call spamdetect(1.811000, "From: contains numbers mixed in with letters") end if if(rexp("From", "\w{2,}\d{4,}[a-z]{1,2}\d{2,}\@")) then call spamdetect(1.977000, "From address matches known spammer format") end if if(rexp("From", "\d+[a-z]+\d+\S*\@")) then call spamdetect(0.100000, "From: contains numbers mixed in with letters") end if if(rexp_case("From", "\d\d\@")) then call spamdetect(0.999000, "From: ends in numbers") end if call rexp_fast(0.144000, "free\ trial\b", "Free Trial") if(rexp("body", "(?-i:F)ree\ sample")) then call spamdetect(1.174000, "Contains 'free sample' with capitals") end if call rexp_fast(1.924000, "free\ quote", "Free Quote") call rexp_fast(1.039000, "free\ preview\b", "Free Preview") call rexp_fast(1.352000, "free\ (?:porn|xxx|adult)", "Possible adult material - Free Porn") call rexp_fast(2.163000, "free\ membership", "Free Membership") call rexp_fast(1.886000, "free\ (?-i:G)rants?\b", "Free Grant Money") call rexp_fast(1.886000, "government\ (?-i:G)rants?\b", "Free Grant Money") call rexp_fast(1.566000, "FREE\ CONSULTATION", "Offers a consultation for nothing") if(rexp("body", "(?-i:F)ree\ access")) then call spamdetect(2.533000, "Contains 'free access' with capitals") end if call rexp_fast(0.927000, "for\ (?-i:FREE)\b", "No such thing as a free lunch (1)") call rexp_fast(2.119000, "find\ out\ anything\b", "Find out anything") call rexp_fast(2.899000, "financial(?:ly)?\ free", "Financial Freedom") call rexp_fast(2.899000, "cash\ free", "Financial Freedom") if(rexp("Content-Type", "(?:\s*multipart\/)?.*\ type=")) then call spamdetect(1.116000, "Header has extraneous Content-type:...type= entry") end if call rexp_fast(0.853000, "extra\ cash\b", "Offers Extra Cash") call rexp_fast(0.879000, "to\ be\ removed\ from.{0,20}(?:mailings|offers)", "Talks about how to be removed from mailings") call rexp_fast(0.791000, "wish\ to\ remove\ yourself", "Claims you can be removed from the list") call rexp_fast(0.791000, "click\ to\ remove\ yourself", "Claims you can be removed from the list") call rexp_fast(2.899000, "To\ Be\ Removed,?\ Please", "Claims you can be removed from the list") call rexp_fast(0.100000, "to\ (?:be\ removed|be\ deleted|no\ longer\ receive\ th(?:is|ese)\ messages?)\ (?:from|send|reply|[e-]*mail)", "Claims you can be removed from the list") call rexp_fast(0.700000, "you(?:'ve|'re|\ have|\ are)?\ receiv(?:e|ed|ing)\ this\ (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by\ either|because)", "Claims you wanted this ad") call rexp_fast(0.727000, "because\ (?:you're|you\ (?:are\ )?)(?:registered|.{0,20}\bopt.{0,3}in)", "Claims you opted-in or registered") call rexp_fast(0.430000, "we\ do\ not\ (?:spam|send\ unsolicited)", "Claims not to be spam") call rexp_fast(0.061000, "received\ this.{1,10}in\ error", "I wonder how many emails they sent in error") call rexp_fast(0.320000, "you\ (?:do\ not|no\ longer)\ wish\ to\ receive", "Tells you how to stop further spam") call rexp_fast(0.853000, "mail\ was\ sent\ to\ you\ because\b", "Gives an excuse for why message was sent") call rexp_fast(2.423000, "this\ (?:e?-?mail|message)\ (?:(?:has\ )?reached|was\ sent\ to)\ you\ in\ error", "Nobody's perfect") call rexp_fast(1.072000, "you.{0,15}(?:name|mail).{0,15}(?:was|were|our).{0,15}list", "Claims you were on a list") call rexp_fast(0.149000, "if\ you\ (?:(?:want|wish|care|prefer)\ not\ to\ |do\ ?n[o']t\ (?:want|wish|care)\ to\ )(?:be\ contacted\ again|receive\ (?:any\ ?)?(?:more|future|further)\b.{1,10}\b(?:e?-?mail|message|offer|solicitation)s?|be\ included)", "'if you do not wish to receive any more'") call rexp_fast(0.417000, "You\ (?:were\ sent|have\ received|are\ receiving).{0,15}(?:message|e-?mail)s?\ because", "Gives a lame excuse about why spam was sent") call rexp_fast(0.417000, "You're\ receiving.{0,15}(?:message|e-?mail)s?\ because", "Gives a lame excuse about why spam was sent") call rexp_fast(1.485000, "earn\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(1.485000, "make\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(1.485000, "making\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(1.485000, "made\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(1.485000, "received?\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(1.485000, "discounted\s+(?:up\s+to|as\s+much\s+as|over|at\s+least|a\s+full)?\s*\$\s*[0-9,]{2}", "Message talks about earning money") call rexp_fast(2.122000, "potential\ (?:earnings|income)\b", "Potential Earnings") call rexp_fast(2.122000, "income\ potential\b", "Potential Earnings") call rexp_fast(0.943000, "drastic.{0,4}\ reduc", "Drastically Reduced") call rexp_fast(0.774000, "join\ .{0,10}(?-i:T)oday\b", "Do it Today") call rexp_fast(0.774000, "register\ .{0,10}(?-i:T)oday\b", "Do it Today") call rexp_fast(0.774000, "order\ .{0,10}(?-i:T)oday\b", "Do it Today") call rexp_fast(0.774000, "apply\ .{0,10}(?-i:T)oday\b", "Do it Today") call rexp_fast(1.566000, "don'?t\ delete\ this", "Don't delete me! Nooooo!!!!") call rexp_fast(1.566000, "do\ not\ delete", "Don't delete me! Nooooo!!!!") #if(rexp("body", "(?:\s|^)(?:\.|dot\s+)(?:info|biz|name)\b|(?:\s|^)\.\w+\ domain")) then # call spamdetect(1.479000, "Domain registration spam body") #end if if(rexp_case("body", "[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b")) then call spamdetect(1.097000, "Domain name containing a '4u' variant") end if if(rexp("body", "(?:c[*0]cks?|d[1*]cks?|h[0*]rny|b[1*]tch(?:es)|f[*0]ckk?ed|p[*]ssy|p[*]ssies)\b")) then call spamdetect(2.600000, "Attempts to disguise adult material words") end if call rexp_fast(1.611000, "Dear\ (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car\ shopper|web)\b", "Contains 'Dear (something)'") if(rexp("body", "^\s*Dear\ Friend\b")) then call spamdetect(1.888000, "Dear Friend? That's not very dear!") end if if(exists("Date")) then if(rexp_case("Date", "^$")) then call spamdetect(1.540000, "Missing Date: header") end if end if call rexp_fast(2.899000, "cum[\ -]?shots?\b", "Possible adult material - Cum Shot") call rexp_fast(4.300000, "consolidate\ .{0,9}\ (?:debt|credit|bills)", "Consolidate debt, credit, or bills") call rexp_fast(4.300000, "debt[\ -]?(?:consolidation|elimination)", "Consolidate debt, credit, or bills") call rexp_fast(0.500000, "100%\ (?-i:F)ree", "No such thing as a free lunch (2)") call rexp_fast(0.500000, "completely\ (?-i:F)ree", "No such thing as a free lunch (2)") call rexp_fast(0.500000, "totally\ (?-i:F)ree", "No such thing as a free lunch (2)") call rexp_fast(0.500000, "absolutely\ (?-i:F)ree", "No such thing as a free lunch (2)") call rexp_fast(2.300000, "transferred\ with\ a\ trial\ version\ of\ CommuniGate", "Sent using a trial version of CommuniGate") call rexp_fast(1.101000, "click\ here\ to\ be\ (?:permanently\ )?(?:removed|deleted)", "Click to be removed") if(rexp_case("body", "CLICK\s.{0,30}(?:HERE|BELOW)")) then call spamdetect(0.173000, "Asks you to click below (in capital letters)") setflag("CLICK_BELOW_CAPS") end if call rexp_fast(1.369000, "boost.{0,16}(?:cell|mobile|phone|cord.?less)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "antenna.{0,16}(?:cell|mobile|phone|cord.?less)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "reception.{0,16}(?:cell|mobile|phone|cord.?less)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "cell.{0,16}(?:boost|antenna|reception)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "mobile.{0,16}(?:boost|antenna|reception)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "phone.{0,16}(?:boost|antenna|reception)", "Talks about cell-phone signal improvement") call rexp_fast(1.369000, "cord.?less.{0,16}(?:boost|antenna|reception)", "Talks about cell-phone signal improvement") call rexp_fast(1.142000, "celeb(?:rity|rities|s).{0,15}(?=[cenps])(?:sex|porn|pics|caught|nude|exposed|content)|\b(?=[fhns])(?:steamy|hot|nude|shocking|free|h[a\@]rdcore)\ celeb(?:rity|rities|s)", "Possible adult material - Celebrity Porn") call rexp_fast(0.589000, "cash\ bonus\b", "Cash Bonus") call rexp_fast(0.377000, "cannot\ be\ considered\ spam", "Claims 'cannot be considered spam'") call rexp_fast(0.010000, "cable\ (?:converter|descrambler)", "Cable Converter") if(rexp("urls", "^(?:https?:\/\/|mailto:)[^\/]+\.bz(?:\/|$)")) then call spamdetect(2.899000, "Contains a URL in the BZ top-level domain") end if call rexp_fast(0.616000, "buy\ direct\b", "Buy Direct") if(rexp("urls", "^(?:https?:\/\/|mailto:)[^\/]+\.biz(?:\/|$)")) then call spamdetect(0.747000, "Contains a URL in the BIZ top-level domain") end if call rexp_fast(0.248000, "Bill.{0,10}1618.{0,10}TITLE.{0,10}(?:III|\#3)", "Claims compliance with Senate Bill 1618") call rexp_fast(0.348000, "your\ own\ boss\b", "Be your own boss") call rexp_fast(1.678000, "best\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.678000, "biggest\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.678000, "largest\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.678000, "most\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.678000, "free\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.678000, "ultimate\b.{0,9}\b(?:virgins?|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)", "Possible adult material - Best, Largest, Most Porn") call rexp_fast(1.287000, "been\ turned\ down\b", "Have you been turned down?") if(rexp_case("urls", "bargain([sz]|-\S+)?\.(?:com|biz)")) then call spamdetect(2.899000, "Includes a link to a likely spammer domain") end if call rexp_fast(1.852000, "barely\ legal\b", "Possible adult material - Barely Legal") call rexp_fast(1.852000, "just\ legal\b", "Possible adult material - Barely Legal") call rexp_fast(0.813000, "avoid\ bankruptcy\b", "Avoid Bankruptcy") call rexp_fast(0.813000, "past\ bankruptcy\b", "Avoid Bankruptcy") if(rexp("body", "\b(?-i:Q)uotes?\!")) then call spamdetect(2.363000, "Talks about quotes with an exclamation!") end if call rexp_fast(3.323000, "oprah!", "Talks about Oprah with an exclamation!") call rexp_fast(0.500000, "\b(?-i:O)rgasm", "Anyone need better orgasms?") if(rexp("body", "\b(?-i:M)ore!")) then call spamdetect(0.413000, "Talks about more with an exclamation!") end if call rexp_fast(0.582000, "money!", "Talks about money with an exclamation!") call rexp_fast(1.100000, "guaranteed?\!", "Something is emphatically guaranteed") call rexp_fast(2.147000, "exercis(?:e|er|es)!", "Talks about exercise with an exclamation!") call rexp_fast(1.921000, "boss!", "Talks about your boss with an exclamation!") call rexp_fast(1.230000, "bad.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "poor.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "no\b.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "eliminate.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "repair.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "reestablish.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "establish.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(1.230000, "damag.{0,10}\ (?:credit|debt)\b", "Eliminate Bad Credit") call rexp_fast(0.300000, "trust(?:ed).{0,10}\ (?:source|contact|confidence)\b", "A little too trusting") call rexp_fast(0.503000, "seen\ on\b\s*(?:T\.?V\.?|ABC|NBC|CBS|CNN|Oprah|USA\ Today|48\ Hours|New\ York\ Times|\w+\s+T\.?V\.?|:)", "As seen on national TV!") if(rexp("body", "(?-i:F)ree\ (?-i:A)pplication|free\ application.{0,32}(?:today|minute|less\ than)")) then call spamdetect(2.287000, "Free Application") end if call rexp_fast(1.700000, "AOL\s+Users\s+Click", "Includes a link for AOL users to click") call rexp_fast(2.008000, "amazing\ (?:product|rates)", "Amazing Stuff") call rexp_fast(0.661000, "100%\ natural", "Spam is 100% natural?!") call rexp_fast(0.661000, "completely\ natural", "Spam is 100% natural?!") call rexp_fast(0.661000, "totally\ natural", "Spam is 100% natural?!") call rexp_fast(0.661000, "all\ natural", "Spam is 100% natural?!") if(rexp_case("body", "ORGY\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "FUCKING\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "FETISH\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "WEBCAM\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "VOYEUR\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "ANAL\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "CUM\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "SNATCH\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "COCK\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "CUNT\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "ORGASM\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp_case("body", "PORN\b")) then call spamdetect(0.650000, "Possible adult material - in ALL CAPS") end if if(rexp("Subject", "\w.*\b(?!ADV\.)A\s*D\s*V\b")) then call spamdetect(2.299000, "Subject: contains advertising tag") end if if(rexp("Subject", "^\W*ADV\b")) then call spamdetect(2.899000, "Subject: starts with advertising tag") end if call rexp_fast(0.226000, "adult.{0,9}(?:entertainment|sites?|industry|only|business|membership)", "Possible adult material - Adult Web Sites") if(rexp("head", "^(To|From|Cc|Reply-To):\s*$")) then setflag("__THEBAT_MSGID2") end if if(evalflags("( __THEBAT_MUA && __THEBAT_MSGID2 )")) then call spamdetect(0, "Forged mail pretending to be from The Bat!") end if if(rexp("Subject", "overnight\ .{0,25}(?:delivery|shipment)")) then call spamdetect(1.100000, "Expecting a delivery?") end if if(rexp("Subject", "to\ your\ door")) then call spamdetect(1.100000, "Expecting a delivery?") end if if(rexp("cleansubject","Via{0,1}gra{0,1}")) then call spamdetect(2.500000,"Plugs Viagra") end if if(rexp("cleansubject", "Va{0,1}l{0,1}i{0,1}um")) then call spamdetect(1.500000, "Plugs Valium") end if if(rexp("cleansubject", "Xa{0,1}na{0,1}x")) then call spamdetect(1.000000, "Plugs Xanax") end if if(rexp("cleansubject", "Pro{0,1}za{0,1}c")) then call spamdetect(1.000000, "Plugs Prozac") end if if(rexp("cleansubject", "Adi{0,1}pex")) then call spamdetect(1.000000, "Plugs Adipex") end if if(rexp("cleansubject", "Di{0,1}a{0,1}zepa{0,1}m")) then call spamdetect(1.000000, "Plugs Diazepam") end if if(rexp("cleansubject", "A{0,1}mbi{0,1}en")) then call spamdetect(1.000000, "Plugs Ambien") end if if(rexp("cleansubject", "Cel{0,1}ebrex")) then call spamdetect(1.000000, "Plugs Celebrex") end if if(rexp("cleansubject", "Phentermi{0,1}ne")) then call spamdetect(1.500000, "Plugs Phentermine") end if if(rexp("cleansubject", "Meri{0,1}di{0,1}a")) then call spamdetect(1.000000, "Plugs Meridia") end if if(rexp("cleansubject", "Ul{0,1}tra{0,1}m\s")) then call spamdetect(1.000000, "Plugs Ultram") end if if(rexp("cleansubject", "Xeni{0,1}ca{0,1}l{0,1}")) then call spamdetect(1.200000, "Plugs Xenical") end if if(rexp("cleansubject", "Levi{0,1}tra{0,1}\s")) then call spamdetect(1.000000, "Plugs Levitra") end if if(rexp("cleansubject", "Tra{0,1}ma{0,1}do{0,1}l{0,1}\s")) then call spamdetect(1.000000, "Plugs Tramadol") end if if(rexp("cleansubject", "si{0,1}l{0,1}dena{0,1}fi{0,1}l{0,1}\sci{0,1}tra{0,1}te")) then call spamdetect(2.500000, "Plugs sildenafil citrate") end if if(rexp("cleansubject", "Fl{0,1}o{0,1}na{0,1}se\s")) then call spamdetect(0.500000, "Plugs Flonase") end if if(rexp("cleansubject", "Di{0,1}drex")) then call spamdetect(0.500000, "Plugs Didrex") end if if(rexp("cleansubject", "Ci{0,1}a{0,1}l{0,1}a{0,1}gen\s")) then call spamdetect(0.200000, "Plugs Cialagen") end if if(rexp("cleansubject", "Tri{0,1}pha{0,1}si{0,1}l{0,1}\s")) then call spamdetect(1.000000, "Plugs Triphasil") end if if(rexp("cleansubject", "Re{0,1}ga{0,1}l{0,1}i{0,1}s\s")) then call spamdetect(2.500000,"Plugs Regalis") end if if(rexp("cleansubject", "Dya{0,1}pex\s")) then call spamdetect(1.000000, "Plugs Dyapex") end if if(rexp("cleansubject", "prescri{0,1}pti{0,1}o{0,1}n")) then call spamdetect(3.000000, "Need a prescription?") end if if(rexp("cleansubject", "pha{0,1}rma{0,1}c(?:y|i{0,1}es)")) then call spamdetect(1.000000, "Need a prescription?") end if if(rexp("cleansubject", "generi{0,1}c")) then call spamdetect(0.800000, "Genric is cheaper") end if if(isin("body","Viagra")) then call spamdetect(1.5,"Plugs Viagra") else if(rexp("cleanbody", "Vi{0,1}a{0,1}gra{0,1}")) then call spamdetect(2.500000, "Plugs Viagra") end if end if # Begin common incorrect Viagra spellings if(rexp("cleanbody", "Vi{0,1}a{0,1}rga{0,1}")) then call spamdetect(2.500000, "Plugs Viagra (sp)") end if if(rexp("cleanbody", "Via{0,1}gr{1,2}a{0,2}")) then call spamdetect(2.500000, "Plugs Viagra (sp)") end if if(rexp("cleanbody", "Vla{0,1}gr{1,2}a{0,2}")) then call spamdetect(2.500000, "Plugs Viagra (sp)") end if if(rexp("cleanbody", "Vi{0,1}rgraa")) then call spamdetect(2.500000, "Plugs Viagra (sp)") end if # End common incorrect Viagra spellings if(rexp("cleanbody", "Va{0,1}l{0,1}i{0,1}um")) then call spamdetect(0.500000, "Plugs Valium") end if if(rexp("cleanbody", "Xa{0,1}na{0,1}x")) then call spamdetect(0.700000, "Plugs Xanax") end if if(rexp("cleanbody", "Pro{0,1}za{0,1}c")) then call spamdetect(0.500000, "Plugs Prozac") end if if(rexp("cleanbody", "Adi{0,1}pex")) then call spamdetect(0.500000, "Plugs Adipex") end if if(rexp("cleanbody", "Di{0,1}a{0,1}zepa{0,1}m")) then call spamdetect(0.500000, "Plugs Diazepam") end if if(rexp("cleanbody", "A{0,1}mbi{0,1}en")) then call spamdetect(0.400000, "Plugs Ambien") end if if(rexp("cleanbody", "Cel{0,1}ebrex")) then call spamdetect(0.600000, "Plugs Celebrex") end if if(rexp("cleanbody", "Phentermi{0,1}ne")) then call spamdetect(0.500000, "Plugs Phentermine") end if if(rexp("cleanbody", "Meri{0,1}di{0,1}a")) then call spamdetect(0.500000, "Plugs Meridia") end if if(rexp("cleanbody", "Ul{0,1}tra{0,1}m\s")) then call spamdetect(0.400000, "Plugs Ultram") end if if(rexp("cleanbody", "Xeni{0,1}ca{0,1}l{0,1}")) then call spamdetect(0.600000, "Plugs Xenical") end if if(rexp("cleanbody", "Levi{0,1}tra{0,1}\s")) then call spamdetect(0.200000, "Plugs Levitra") end if if(rexp("cleanbody", "Tra{0,1}ma{0,1}do{0,1}l{0,1}\s")) then call spamdetect(0.200000, "Plugs Tramadol") end if if(rexp("cleanbody", "si{0,1}l{0,1}dena{0,1}fi{0,1}l{0,1}\sci{0,1}tra{0,1}te")) then call spamdetect(0.200000, "Plugs sildenafil citrate") end if if(rexp("cleanbody", "Fl{0,1}o{0,1}na{0,1}se\s")) then call spamdetect(0.500000, "Plugs Flonase") end if if(rexp("cleanbody", "Di{0,1}drex")) then call spamdetect(0.500000, "Plugs Didrex") end if if(rexp("cleanbody", "Ci{0,1}a{0,1}l{0,1}a{0,1}gen\s")) then call spamdetect(0.200000, "Plugs Cialagen") end if if(rexp("cleanbody", "Tri{0,1}pha{0,1}si{0,1}l{0,1}\s")) then call spamdetect(1.500000, "Plugs Triphasil") end if if(rexp("cleanbody", "Re{0,1}ga{0,1}l{0,1}i{0,1}s\s")) then call spamdetect(2.500000,"Plugs Regalis") end if if(rexp("cleanbody", "Dya{0,1}pex\s")) then call spamdetect(1.000000, "Plugs Dyapex") end if if(!isin("body","Refinanc")) then if(rexp("cleanbody", "Refi{0,1}na{0,1}nc")) then call spamdetect(2.000000, "Obscured interest rates/mortgages") end if end if if(!isin("body","Interest Rates")) then if(rexp("cleanbody", "I{0,1}nterest\sRa{0,1}tes\s")) then call spamdetect(2.000000, "Obscured interest rates/mortgages") end if end if if(!isin("body","mortgage")) then if(rexp("cleanbody", "mo{0,1}rtga{0,1}ge\s")) then call spamdetect(2.000000, "Obscured interest rates/mortgages") end if end if if(!isin("body","obligation")) then if(rexp("cleanbody", "\so{0,1}bl{0,1}i{0,1}ga{0,1}ti{0,1}o{0,1}n?\s")) then call spamdetect(2.000000, "Obscured no obligation") end if end if if(!isin("body","penis")) then if(rexp("cleanbody","peni{0,1}s")) then call spamdetect(1.000000, "Obscured penis") end if end if if(!isin("body","orgasm")) then if(rexp("cleanbody","\so{0,1}rga{0,1}sms{0,1}\s")) then call spamdetect(1.000000, "Obscured orgasm") end if end if if(!isin("body","ejaculation")) then if(rexp("cleanbody","eja{0,1}cul{0,1}a{0,1}ti{0,1}o{0,1}n")) then call spamdetect(1.500000, "Obscured ejaculation") end if end if if(!isin("body","save")) then if(rexp("cleanbody","save")) then call spamdetect(0.250000, "Obscured Save") end if end if if(!isin("subject","free")) then if(rexp("cleansubject","free")) then call spamdetect(0.250000, "Obscured Free") end if end if if(!isin("body","Microsoft")) then if(rexp("cleanbody","Mi{0,1}cro{0,1}so{0,1}ft")) then call spamdetect(0.250000, "Cheap software") end if end if if(!isin("body","enhancement")) then if(isin("cleanbody","enhancement")) then call spamdetect(1.500000, "Enhance what?") end if end if if(isin("cleanbody","Email Marketing")) then call spamdetect(0.500000,"E-mail marketing") end if if(isin("cleanbody","Targeted Email")) then call spamdetect(0.500000,"E-mail marketing") end if if(!isin("subject","enhancement")) then if(isin("cleansubject","enhancement")) then call spamdetect(1.500000, "Enhance what?") end if end if if(isin("cleansubject","get it up")) then call spamdetect(0.070000, "Get what up?") end if if(isin("cleansubject","Attract Women")) then call spamdetect(0.500000,"Attract women in subject") end if if(isin("body","Nigeria")) then call rexp_fast(1.500000, "late\ .{0,9}husband", "Looks like another Nigerian scam") end if if(rexp("Subject", "\bNow\ Only")) then call spamdetect(0.045000, "Subject contains 'Now Only'") end if if(rexp("Subject", "\swant?\ to\ meet\s")) then call spamdetect(0.200000, "Feel like meeting a stranger?") end if if(rexp("Subject", "\Free\ (?:cable|satellite|Pay\ Per\ View)")) then call spamdetect(0.700000, "Free TV") end if if(isin("Subject","Stop Spam")) then call spamdetect(0.500000,"Stop spam or get more?") end if if(isin("body","top--sites")) then call spamdetect(4.00000,"Postmaster spammers!") end if call rexp_fast(0.30000, "Our\ .{0,10}\ Price", "Our price") if(isin("cleansubject","ebay")) then if(rexp("cleansubject","easy")) then call spamdetect(1.0,"eBay spam") end if if(rexp("cleansubject","Mo{0,1}ney")) then call spamdetect(1.5,"eBay spam") end if end if if(isin("cleansubject","Order")) then call spamdetect(0.20000,"What are we ordering?") end if if(isin("cleansubject","your home")) then call spamdetect(0.20000,"Something from home") end if if(isin("cleanbody","RND_SYB")) then call spamdetect(4.000000,"%RND_SYB") end if # Temporary rules for specific spam - Do you feel special for being singled out? # The rules in this section are likely present for a short period only. I have prefixed these with 'T:' for easy identification. # Should they cause any problems with legitimate mail, please e-mail us so we can remove them. if(isin("cleanbody","Banned CD Government")) then call spamdetect(4.000000,"T: Banned CD") end if if(rexp_case("cleanbody","Free\sCable\s{0,1}TV")) then call spamdetect(4.0,"Free Cable TV spam!") end if if(isin("cleanbody","NO LUCK ENLARGING IT")) then call spamdetect(4.000000,"T: Penis enlargement") end if if(isin("cleanbody","Genierc and Super Viarga")) then call spamdetect(4.000000,"T: Penis enlargement") end if if(isin("cleanbody","Have amazing s")) then call spamdetect(2.500000,"T: Be better than average") end if if(isin("cleanbody","reach millions")) then call spamdetect(2.500000,"T: Millions want to be reached?") end if if(isin("cleanbody","I finally was able to lose the weight I have")) then call spamdetect(4.000000,"T: Weight loss spam") end if if(isin("cleanbody","up to 10 seconds to the graphic")) then call spamdetect(4.000000,"T: Work from home") end if if(isin("cleanbody","PURE CHILD P0RN")) then call spamdetect(4.000000,"T: CP spam") end if if(isin("cleanbody","Mikes Apartment Tranny Surprise")) then call spamdetect(4.000000,"T: Porn spam") end if if(isin("cleanbody","Big Naturals Cum Fiesta")) then call spamdetect(4.000000,"T: Porn spam") end if if(isin("subject","Pilates")) then call spamdetect(3.000000,"T: Pilates") end if if(isin("cleanbody","Are You Ready for an Exciting Change in Your Life")) then call spamdetect(3.000000,"T: Change") end if if(isin("rawbody","")) then call spamdetect(0.500000,"T: Possible CP spam") end if if(isin("cleansubject","Amazing Red bullet")) then call spamdetect(4.000000,"T: Sex enhancing pills") end if if(isin("cleansubject","the banks are ripping you off")) then call spamdetect(4.000000,"T: Paying the bank too much?") end if if(isin("cleanbody","CrimeOnLine")) then call spamdetect(3.000000,"T: Crime-On-Line") end if if(isin("cleansubject","Sick of SPAM")) then call spamdetect(4.000000,"T: We love spam don't we?") end if if(isin("cleansubject","Cheapest prescriptions on the internet")) then call spamdetect(4.000000,"T: Cheapest prescriptions") end if if(isin("cleanbody","User had used an automated software for url submission")) then call spamdetect(4.000000,"T: Search engine submission lies!") end if if(isin("subject","Valī(u)m")) then call spamdetect(4.000000,"T: Online prescriptions") end if if(isin("cleansubject","smiley faces for your email")) then call spamdetect(4.000000,"T: HTML e-mail is evil!") end if if(isin("cleansubject","NFO Welcomes You")) then call spamdetect(4.000000,"T: NFO Welcomes You") end if if(isin("cleansubject","let FindRomance help you")) then call spamdetect(4.000000,"T: FindRomance") end if if(isin("cleansubject","reduction of body fat")) then call spamdetect(4.000000,"T: Weight loss") end if if(isin("rawbody","font-size: 1;")) then call spamdetect(2.500000,"T: Small text padding") end if if(isin("cleanbody","AJALA AND GOD ASSOCIATES")) then call spamdetect(4.000000,"T: You inherit NOTHING!") end if if(isin("cleanbody","SDH Solution Group")) then call spamdetect(4.000000,"T: Web design/hosting") end if if(isin("cleanbody","If you do not see a picture below please hold")) then call spamdetect(4.000000,"T: Loading picture") end if #include local.rul