70_sare_html.cf 104 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520
  1. # SARE HTML Ruleset for SpamAssassin - ruleset 0
  2. # Version: 01.03.10
  3. # Created: 2004-03-31
  4. # Modified: 2006-06-03
  5. # Usage instructions, documentation, and change history in 70_sare_html0.cf
  6. #@@# Revision History: Full Revision History stored in 70_sare_html.log
  7. #@@# 01.03.09: May 31 2006
  8. #@@# Minor score tweaks based on recent mass-checks
  9. #@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU
  10. #@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL
  11. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1
  12. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2
  13. #@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3
  14. #@@# Moved file 0 to file 2: SARE_HTML_POB1200
  15. #@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD
  16. #@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN
  17. #@@# Moved file 0 to file 2: SARE_HTML_URI_OFF
  18. #@@# Moved file 0 to file 2: SARE_HTML_USL_B7
  19. #@@# Moved file 0 to file 2: SARE_HTML_USL_B9
  20. #@@# Moved file 0 to file 2: SARE_PHISH_HTML_01
  21. #@@# Added file 0: SARE_HTML_FLOAT1
  22. #@@# 01.03.10: June 3 2006
  23. #@@# Minor score tweaks based on recent mass-checks
  24. #@@# Added file 0 SARE_HTML_LINKWARN
  25. #@@# Added file 0 SARE_HTML_SPANNER
  26. # License: Artistic - see http://www.rulesemporium.com/license.txt
  27. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  28. # Current Home: http://www.rulesemporium.com/rules/70_sare_html0.cf
  29. #
  30. # Usage: This family of files, 70_sare_html*.cf, contain rules that test HTML strings within emails
  31. # (except URIs, which are handled in the 70_sare_uri*.cf family of files).
  32. #
  33. # File 0: 70_sare_html0.cf -- These are html rules that hit at least 10 spam and no ham.
  34. # While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
  35. # This is a rules file we expect any/all email systems using SpamAssassin to benefit from.
  36. #
  37. # File 1: 70_sare_html1.cf -- These are html rules that meet one of the follow criteria:
  38. # a) Rules that do, or in the past have hit ham during SARE mass-check tests
  39. # b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run.
  40. # If the rules hit ham, they hit at last 10 spam to each 1 ham.
  41. # If the rules hit ham, they hit fewer than 100 ham
  42. # With few exceptions these rules score significantly less than the rules in file 0.
  43. # Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset,
  44. # pick and choose among its rules, or lower their scores.
  45. # Systems that use this file 1 should ALSO use file 0.
  46. #
  47. # File 2: 70_sare_html2.cf -- These html rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
  48. # These are primarily rules that test for specific html seen only in spam, or similar types of "pretty darn sure" rules.
  49. # Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead,
  50. # but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
  51. #
  52. # File 3: 70_sare_html3.cf -- These are html rules that hit a significant amount of ham during SARE mass-check tests.
  53. # Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
  54. #
  55. # File 4: 70_sare_html4.cf -- These are html rules that meet one of the following criteria:
  56. # a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems.
  57. # b) They hit no emails at this time, but have been recommended by anti-spam sources.
  58. # Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
  59. #
  60. # eng: 70_sare_html_eng.cf -- These are html rules which work well within the English language, but are liable to cause false
  61. # positives in other languages. They include rules which test for letter combinations. Systems that
  62. # receive ham in languages other than English should NOT use this file.
  63. #
  64. # x30: 70_sare_html_x30.cf -- These are html rules which have been incorporated into SpamAssassin 3.0.x,
  65. # or which duplicate or greatly overlap 3.0.x rules.
  66. # Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
  67. #
  68. # arc: 70_sare_html_arc.cf -- These are html rules that once were published in other files, but which have since lost all value.
  69. # They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam.
  70. # SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but
  71. # we expect that nobody will be running these rules in any production system.
  72. #
  73. ######## ###################### ##################################################
  74. ######## ###################### ##################################################
  75. # Rules renamed or moved
  76. ######## ###################### ##################################################
  77. meta SARE_HTML_ALT_WAIT2 __SARE_HEAD_FALSE
  78. meta SARE_HTML_BADOPEN __SARE_HEAD_FALSE
  79. meta SARE_HTML_BAD_FG_CLR __SARE_HEAD_FALSE
  80. meta SARE_HTML_COLOR_B __SARE_HEAD_FALSE
  81. meta SARE_HTML_COLOR_NWHT3 __SARE_HEAD_FALSE
  82. meta SARE_HTML_FONT_INVIS2 __SARE_HEAD_FALSE
  83. meta SARE_HTML_FSIZE_1ALL __SARE_HEAD_FALSE
  84. meta SARE_HTML_GIF_DIM __SARE_HEAD_FALSE
  85. meta SARE_HTML_HTML_AFTER __SARE_HEAD_FALSE
  86. meta SARE_HTML_HTML_DBL __SARE_HEAD_FALSE
  87. meta SARE_HTML_HTML_TBL __SARE_HEAD_FALSE
  88. meta SARE_HTML_IMG_ONLY __SARE_HEAD_FALSE
  89. meta SARE_HTML_JVS_HREF __SARE_HEAD_FALSE
  90. meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
  91. meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
  92. meta SARE_HTML_NO_BODY __SARE_HEAD_FALSE
  93. meta SARE_HTML_NO_HTML1 __SARE_HEAD_FALSE
  94. meta SARE_HTML_P_JUSTIFY __SARE_HEAD_FALSE
  95. meta SARE_HTML_TITLE_SEX __SARE_HEAD_FALSE
  96. meta SARE_HTML_URI_2SLASH __SARE_HEAD_FALSE
  97. meta SARE_HTML_URI_AXEL __SARE_HEAD_FALSE
  98. meta SARE_HTML_URI_BADQRY __SARE_HEAD_FALSE
  99. meta SARE_HTML_URI_FORMPHP __SARE_HEAD_FALSE
  100. meta SARE_HTML_URI_HREF __SARE_HEAD_FALSE
  101. meta SARE_HTML_URI_MANYP2 __SARE_HEAD_FALSE
  102. meta SARE_HTML_URI_MANYP3 __SARE_HEAD_FALSE
  103. meta SARE_HTML_URI_NUMPHP3 __SARE_HEAD_FALSE
  104. meta SARE_HTML_URI_OBFU4 __SARE_HEAD_FALSE
  105. meta SARE_HTML_URI_OBFU4a __SARE_HEAD_FALSE
  106. meta SARE_HTML_URI_PARTID __SARE_HEAD_FALSE
  107. meta SARE_HTML_URI_RID __SARE_HEAD_FALSE
  108. meta SARE_HTML_USL_MULT __SARE_HEAD_FALSE
  109. meta SARE_HTML_FONT_EBEF __SARE_HEAD_FALSE
  110. meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
  111. meta SARE_HTML_INV_TAGA __SARE_HEAD_FALSE
  112. meta SARE_HTML_EHTML_OBFU __SARE_HEAD_FALSE
  113. meta SARE_HTML_HEAD_AFFIL __SARE_HEAD_FALSE
  114. meta SARE_HTML_LEAKTHRU1 __SARE_HEAD_FALSE
  115. meta SARE_HTML_LEAKTHRU2 __SARE_HEAD_FALSE
  116. meta SARE_HTML_ONE_LINE3 __SARE_HEAD_FALSE
  117. meta SARE_HTML_POB1200 __SARE_HEAD_FALSE
  118. meta SARE_HTML_URI_HIDADD __SARE_HEAD_FALSE
  119. meta SARE_HTML_URI_LOGOGEN __SARE_HEAD_FALSE
  120. meta SARE_HTML_URI_OFF __SARE_HEAD_FALSE
  121. meta SARE_HTML_USL_B7 __SARE_HEAD_FALSE
  122. meta SARE_HTML_USL_B9 __SARE_HEAD_FALSE
  123. meta SARE_PHISH_HTML_01 __SARE_HEAD_FALSE
  124. ######## ###################### ##################################################
  125. rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
  126. rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
  127. rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
  128. rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
  129. rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
  130. rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
  131. rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
  132. rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
  133. rawbody __SARE_HTML_HBODY m'<html><body>'i
  134. rawbody __SARE_HTML_BEHTML m'<body></html>'i
  135. rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
  136. rawbody __SARE_HTML_EFONT m'^</font>'i
  137. rawbody __SARE_HTML_EHEB m'^</html></body>'i
  138. rawbody __SARE_HTML_CMT_CNTR /<center><!--/
  139. # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
  140. rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  141. rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  142. rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  143. rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  144. rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  145. rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  146. rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  147. rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  148. rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
  149. rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
  150. ######## ###################### ##################################################
  151. # <HTML> and <BODY> tag spamsign
  152. ######## ###################### ##################################################
  153. ######## ###################### ##################################################
  154. # <A> and HREF rules
  155. ######## ###################### ##################################################
  156. rawbody SARE_HTML_A_INV /href\w*href/i
  157. describe SARE_HTML_A_INV HTML has malformed anchor/href tag
  158. score SARE_HTML_A_INV 3.333
  159. #stype SARE_HTML_A_INV spamg
  160. #wasalso SARE_HTML_A_INV /href[a-z]*href/i
  161. #wasalso SARE_HTML_A_INV Fred's FR_FUNNY_HREF
  162. #wasalso SARE_HTML_A_INV /\w\whref=http:/i from David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
  163. #counts SARE_HTML_A_INV 8s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  164. #max SARE_HTML_A_INV 628s/0h of 66351 corpus (40971s/25380h RM) 08/21/04
  165. #counts SARE_HTML_A_INV 7s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  166. #counts SARE_HTML_A_INV 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  167. #counts SARE_HTML_A_INV 4s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  168. #max SARE_HTML_A_INV 23s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  169. #counts SARE_HTML_A_INV 2s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  170. #counts SARE_HTML_A_INV 8s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  171. #max SARE_HTML_A_INV 101s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  172. #counts SARE_HTML_A_INV 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  173. #counts SARE_HTML_A_INV 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  174. #max SARE_HTML_A_INV 2s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  175. rawbody SARE_HTML_LINKWARN /\bShowLinkWarning\b/
  176. score SARE_HTML_LINKWARN 1.133
  177. describe SARE_HTML_LINKWARN Possible spam sign in HTML
  178. #hist SARE_HTML_LINKWARN Loren Wilton, April 2006
  179. #counts SARE_HTML_LINKWARN 126s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  180. #counts SARE_HTML_LINKWARN 5s/0h of 55981 corpus (51658s/4323h AxB2) 05/15/06
  181. #counts SARE_HTML_LINKWARN 17s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
  182. #counts SARE_HTML_LINKWARN 60s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
  183. #counts SARE_HTML_LINKWARN 168s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
  184. #counts SARE_HTML_LINKWARN 12s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
  185. #counts SARE_HTML_LINKWARN 26s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
  186. ######## ###################### ##################################################
  187. # Spamsign character sets and fonts
  188. ######## ###################### ##################################################
  189. rawbody SARE_HTML_FONT_LWORD m'^<font style=font-size:1px>[a-z]{30,}\.</font><br>'i
  190. describe SARE_HTML_FONT_LWORD unusual document format
  191. score SARE_HTML_FONT_LWORD 1.666
  192. #hist SARE_HTML_FONT_LWORD Loren Wilton: LW_SPAMFERSURE
  193. #counts SARE_HTML_FONT_LWORD 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  194. #max SARE_HTML_FONT_LWORD 194s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
  195. #counts SARE_HTML_FONT_LWORD 2s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  196. #counts SARE_HTML_FONT_LWORD 81s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  197. #counts SARE_HTML_FONT_LWORD 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  198. #counts SARE_HTML_FONT_LWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  199. #max SARE_HTML_FONT_LWORD 2s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  200. full SARE_HTML_FONT_SPLIT /<font color=\n\n"?\#[a-f]\w[a-f]\w[a-f]\w"?>/i
  201. describe SARE_HTML_FONT_SPLIT HTML bright font color tag split by blank lines
  202. score SARE_HTML_FONT_SPLIT 1.666
  203. #hist SARE_HTML_FONT_SPLIT David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
  204. #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
  205. #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_FONT_SPL for obvious reasons, but not enough to warrant dropping one.
  206. #counts SARE_HTML_FONT_SPLIT 5s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  207. #max SARE_HTML_FONT_SPLIT 431s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
  208. #counts SARE_HTML_FONT_SPLIT 5s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  209. #counts SARE_HTML_FONT_SPLIT 1s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  210. #max SARE_HTML_FONT_SPLIT 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  211. #counts SARE_HTML_FONT_SPLIT 31s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  212. #counts SARE_HTML_FONT_SPLIT 6s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  213. #max SARE_HTML_FONT_SPLIT 65s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  214. #counts SARE_HTML_FONT_SPLIT 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  215. #counts SARE_HTML_FONT_SPLIT 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  216. ######## ###################### ##################################################
  217. # <TITLE> Tag Tests
  218. ######## ###################### ##################################################
  219. ######## ###################### ##################################################
  220. # Obviously invalid html tag
  221. ######## ###################### ##################################################
  222. ######## ###################### ##################################################
  223. # Invalid or Suspicious URI Tests
  224. ######## ###################### ##################################################
  225. ######## ###################### ##################################################
  226. # <!-- Comment tag tests
  227. ######## ###################### ##################################################
  228. ######## ###################### ##################################################
  229. # Image tag tests
  230. ######## ###################### ##################################################
  231. rawbody SARE_HTML_IMG_CID2 /\"cid:(?:[A-Z]{8}\.){3}[A-Z]{8}_csseditor\"/ # no /i
  232. describe SARE_HTML_IMG_CID2 table spam image
  233. score SARE_HTML_IMG_CID2 2.222
  234. #hist SARE_HTML_IMG_CID2 Loren Wilton, May 2005
  235. #counts SARE_HTML_IMG_CID2 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  236. #max SARE_HTML_IMG_CID2 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  237. #counts SARE_HTML_IMG_CID2 66s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  238. #max SARE_HTML_IMG_CID2 114s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  239. #counts SARE_HTML_IMG_CID2 63s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  240. #counts SARE_HTML_IMG_CID2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
  241. #counts SARE_HTML_IMG_CID2 45s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  242. #counts SARE_HTML_IMG_CID2 8s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  243. #counts SARE_HTML_IMG_CID2 4s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  244. #max SARE_HTML_IMG_CID2 37s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  245. ######## ###################### ##################################################
  246. # Javascript and object tests
  247. ######## ###################### ##################################################
  248. ######## ###################### ##################################################
  249. # Header tags
  250. ######## ###################### ##################################################
  251. ######## ###################### ##################################################
  252. # Paragraphs, breaks, and spacings
  253. ######## ###################### ##################################################
  254. rawbody __SARE_HTML_FLOAT1A /^\s*(?:=(?:3[Dd])?\s*\"\s*)?float\s*(?:\:\s*)?$/i
  255. rawbody __SARE_HTML_FLOAT1B /^(?:\s*|=(?:3D)?")?float:?\s*$/i
  256. meta SARE_HTML_FLOAT1 __SARE_HTML_FLOAT1A || __SARE_HTML_FLOAT1B
  257. describe SARE_HTML_FLOAT1 Contains HTML formatting used in spam
  258. score SARE_HTML_FLOAT1 2.666
  259. #counts SARE_HTML_FLOAT1 574s/0h of 192466 corpus (93270s/99196h RM) 05/31/06
  260. #counts SARE_HTML_FLOAT1 21s/0h of 26358 corpus (22027s/4331h AxB2) 06/01/06
  261. #counts SARE_HTML_FLOAT1 125s/0h of 13285 corpus (7412s/5873h CT) 05/31/06
  262. #counts SARE_HTML_FLOAT1 1645s/0h of 162350 corpus (110752s/51598h DOC) 05/31/06
  263. #counts SARE_HTML_FLOAT1 40s/0h of 15726 corpus (7781s/7945h FT) 05/31/06
  264. #counts SARE_HTML_FLOAT1 3054s/0h of 119967 corpus (84310s/35657h ML) 05/31/06
  265. #counts SARE_HTML_FLOAT1 17s/0h of 22937 corpus (17232s/5705h MY) 05/31/06
  266. rawbody SARE_HTML_ORIG_MSG /^-----original message-----<br>$/
  267. describe SARE_HTML_ORIG_MSG Fake replied message?
  268. score SARE_HTML_ORIG_MSG 1.666
  269. #hist SARE_HTML_ORIG_MSG Tim Jackson, May 12, 2005
  270. #counts SARE_HTML_ORIG_MSG 65s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  271. #counts SARE_HTML_ORIG_MSG 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  272. #max SARE_HTML_ORIG_MSG 12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  273. #counts SARE_HTML_ORIG_MSG 14s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  274. #counts SARE_HTML_ORIG_MSG 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  275. #counts SARE_HTML_ORIG_MSG 22s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  276. #counts SARE_HTML_ORIG_MSG 119s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  277. #counts SARE_HTML_ORIG_MSG 10s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  278. #max SARE_HTML_ORIG_MSG 154s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  279. rawbody SARE_HTML_SPANNER /> [a-z] <\/span>[a-z]<span/i
  280. describe SARE_HTML_SPANNER spammer is a SARE_HTML_SPANNER
  281. score SARE_HTML_SPANNER 2.222
  282. #hist SARE_HTML_SPANNER variation apparently scheduled for SA distribution in 3.2
  283. #hist SARE_HTML_SPANNER Robert Brooks, March 2006
  284. #counts SARE_HTML_SPANNER 1849s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  285. #counts SARE_HTML_SPANNER 7s/0h of 9982 corpus (5652s/4330h AxB) 05/14/06
  286. #counts SARE_HTML_SPANNER 108s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
  287. #counts SARE_HTML_SPANNER 959s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
  288. #counts SARE_HTML_SPANNER 31s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
  289. #counts SARE_HTML_SPANNER 3027s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
  290. #counts SARE_HTML_SPANNER 9s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
  291. ######## ###################### ##################################################
  292. # Suspicious tag combinations
  293. ######## ###################### ##################################################
  294. full SARE_HTML_CALL_ME m'\nPhone:\s+\d{3}-[\d\-<BR>]+\nMobile:\s+\d{3}-[\d\-<BR>]+\nEmail:\s+<A href.{1,100}</A>\n</DIV></BODY></HTML>'
  295. describe SARE_HTML_CALL_ME spammer sign in text
  296. score SARE_HTML_CALL_ME 2.222
  297. #hist SARE_HTML_CALL_ME Loren Wilton: LW_CALLME
  298. #counts SARE_HTML_CALL_ME 1s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  299. #max SARE_HTML_CALL_ME 1964s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
  300. #counts SARE_HTML_CALL_ME 270s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  301. #counts SARE_HTML_CALL_ME 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  302. #counts SARE_HTML_CALL_ME 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  303. #counts SARE_HTML_CALL_ME 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  304. ######## ###################### ##################################################
  305. # Miscellaneous tag tests
  306. ######## ###################### ##################################################
  307. ######## ###################### ##################################################
  308. # Useless tags (tag structures that do nothing)
  309. # Largely submitted by Matt Yackley, with contributions by
  310. # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
  311. ######## ###################### ##################################################
  312. ######## ###################### ##################################################
  313. # Tests destined for other rule sets
  314. ######## ###################### ##################################################
  315. rawbody __SARE_PHISH_HTML_02a m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
  316. full __SARE_PHISH_HTML_02b m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
  317. meta SARE_PHISH_HTML_02 __SARE_PHISH_HTML_02a || __SARE_PHISH_HTML_02b
  318. score SARE_PHISH_HTML_02 2.500
  319. #stype SARE_PHISH_HTML_02 spamgg # phish
  320. #hist SARE_PHISH_HTML_02 Loren Wilton: SARE_PHISH_HTML_03
  321. describe SARE_PHISH_HTML_02 numeric href with https description
  322. #counts SARE_PHISH_HTML_02 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  323. #max SARE_PHISH_HTML_02 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  324. #counts SARE_PHISH_HTML_02 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
  325. #counts SARE_PHISH_HTML_02 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  326. #counts SARE_PHISH_HTML_02 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  327. #counts SARE_PHISH_HTML_02 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  328. #counts SARE_PHISH_HTML_02 5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  329. #counts SARE_PHISH_HTML_02 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  330. #counts SARE_PHISH_HTML_02 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  331. rawbody __SARE_PHISH_HTML_03 m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
  332. full __SARE_PHISH_HTML_03a m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
  333. meta SARE_PHISH_HTML_03 __SARE_PHISH_HTML_03 || __SARE_PHISH_HTML_03a
  334. describe SARE_PHISH_HTML_03 numeric href with https description
  335. score SARE_PHISH_HTML_03 1.666
  336. #stype SARE_PHISH_HTML_03 spamg
  337. #hist SARE_PHISH_HTML_03 Loren Wilton, Feb 28 2005
  338. #counts SARE_PHISH_HTML_03 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  339. #max SARE_PHISH_HTML_03 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  340. #counts SARE_PHISH_HTML_03 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
  341. #counts SARE_PHISH_HTML_03 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  342. #counts SARE_PHISH_HTML_03 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  343. #counts SARE_PHISH_HTML_03 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  344. #counts SARE_PHISH_HTML_03 5s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/13/05
  345. #counts SARE_PHISH_HTML_03 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  346. #counts SARE_PHISH_HTML_03 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  347. # EOF
  348. # SARE HTML Ruleset for SpamAssassin - ruleset 1
  349. # Version: 01.03.10
  350. # Created: 2004-03-31
  351. # Modified: 2006-06-03
  352. # Usage instructions, documentation, and change history in 70_sare_html0.cf
  353. #@@# Revision History: Full Revision History stored in 70_sare_html.log
  354. #@@# 01.03.10: June 3 2006
  355. #@@# Minor score tweaks based on recent mass-checks
  356. #@@# Modified "rule has been moved" meta flags
  357. #@@# Added to file 1 SARE_HTML_SINGLETS
  358. #@@# Archive: SARE_HTML_ALT_WAIT1
  359. #@@# Archive: SARE_HTML_A_NULL
  360. #@@# Archive: SARE_HTML_H2_CLK
  361. #@@# Archive: SARE_HTML_JSCRIPT_ENC
  362. #@@# Archive: SARE_HTML_URI_BUG
  363. #@@# Moved file 1 to 2: SARE_HTML_BR_MANY
  364. #@@# Moved file 1 to 2: SARE_HTML_ONE_LINE2
  365. #@@# Moved file 1 to 2: SARE_HTML_URI_OC
  366. #@@# Moved file 1 to 3: SARE_HTML_TITLE_MNY
  367. #@@# Moved file 1 to 3: SARE_HTML_URI_DEFASP
  368. # License: Artistic - see http://www.rulesemporium.com/license.txt
  369. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  370. # Current Home: http://www.rulesemporium.com/rules/70_sare_html1.cf
  371. ######## ###################### ##################################################
  372. # Rules renamed or moved
  373. ######## ###################### ##################################################
  374. meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
  375. meta SARE_HTML_URI_RM __SARE_HEAD_FALSE
  376. meta SARE_HTML_URI_REFID __SARE_HEAD_FALSE
  377. meta SARE_HTML_ALT_WAIT1 __SARE_HEAD_FALSE
  378. meta SARE_HTML_A_NULL __SARE_HEAD_FALSE
  379. meta SARE_HTML_H2_CLK __SARE_HEAD_FALSE
  380. meta SARE_HTML_JSCRIPT_ENC __SARE_HEAD_FALSE
  381. meta SARE_HTML_URI_BUG __SARE_HEAD_FALSE
  382. meta SARE_HTML_BR_MANY __SARE_HEAD_FALSE
  383. meta SARE_HTML_ONE_LINE2 __SARE_HEAD_FALSE
  384. meta SARE_HTML_URI_OC __SARE_HEAD_FALSE
  385. meta SARE_HTML_TITLE_MNY __SARE_HEAD_FALSE
  386. meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
  387. ######## ###################### ##################################################
  388. header __CTYPE_HTML Content-Type =~ /text\/html/i
  389. rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
  390. rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
  391. rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
  392. rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
  393. rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
  394. rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
  395. rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
  396. rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
  397. rawbody __SARE_HTML_HBODY m'<html><body>'i
  398. rawbody __SARE_HTML_BEHTML m'<body></html>'i
  399. rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
  400. rawbody __SARE_HTML_EFONT m'^</font>'i
  401. rawbody __SARE_HTML_EHEB m'^</html></body>'i
  402. rawbody __SARE_HTML_CMT_CNTR /<center><!--/
  403. # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
  404. rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  405. rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  406. rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  407. rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  408. rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  409. rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  410. rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  411. rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  412. rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
  413. rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
  414. ######## ###################### ##################################################
  415. # Is there a message?
  416. ######## ###################### ##################################################
  417. ######## ###################### ##################################################
  418. # <HTML> and <BODY> tag spamsign
  419. ######## ###################### ##################################################
  420. full SARE_HTML_HTML_QUOT /<HTML>.{0,2}&quot;/is
  421. describe SARE_HTML_HTML_QUOT Message body has very strange HTML sequence
  422. score SARE_HTML_HTML_QUOT 1.666
  423. #ham SARE_HTML_HTML_QUOT verified (2)
  424. #hist SARE_HTML_HTML_QUOT Fred T: FR_HTML_QUOTE
  425. #counts SARE_HTML_HTML_QUOT 197s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  426. #max SARE_HTML_HTML_QUOT 236s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  427. #counts SARE_HTML_HTML_QUOT 23s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
  428. #counts SARE_HTML_HTML_QUOT 16s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  429. #counts SARE_HTML_HTML_QUOT 82s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  430. #counts SARE_HTML_HTML_QUOT 38s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  431. #counts SARE_HTML_HTML_QUOT 159s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  432. #counts SARE_HTML_HTML_QUOT 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  433. #max SARE_HTML_HTML_QUOT 98s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  434. #counts SARE_HTML_HTML_QUOT 0s/0h of 4676 corpus (808s/3868h ft) 05/28/05
  435. full SARE_HTML_HTML_TBL /<html>.{0,2}<table/is
  436. describe SARE_HTML_HTML_TBL Message body has very strange HTML sequence
  437. score SARE_HTML_HTML_TBL 0.646
  438. #hist SARE_HTML_HTML_TBL Fred T: FR_HTML_TABLE
  439. #counts SARE_HTML_HTML_TBL 94s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
  440. #max SARE_HTML_HTML_TBL 287s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  441. #counts SARE_HTML_HTML_TBL 10s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  442. #counts SARE_HTML_HTML_TBL 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  443. #counts SARE_HTML_HTML_TBL 3s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  444. #counts SARE_HTML_HTML_TBL 11s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  445. #max SARE_HTML_HTML_TBL 140s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  446. #counts SARE_HTML_HTML_TBL 22s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  447. #counts SARE_HTML_HTML_TBL 13s/3h of 23074 corpus (17350s/5724h MY) 05/14/06
  448. #max SARE_HTML_HTML_TBL 30s/3h of 57287 corpus (52272s/5015h MY) 09/22/05
  449. ######## ###################### ##################################################
  450. # <TITLE> Tag Tests
  451. ######## ###################### ##################################################
  452. rawbody SARE_HTML_TITLE_1WD m'^<title>[a-z]+</title>$'
  453. describe SARE_HTML_TITLE_1WD strange document title
  454. score SARE_HTML_TITLE_1WD 1.591
  455. #hist SARE_HTML_TITLE_1WD Loren Wilton LW_FUNNY_TITLE
  456. #counts SARE_HTML_TITLE_1WD 1125s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
  457. #max SARE_HTML_TITLE_1WD 2076s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
  458. #counts SARE_HTML_TITLE_1WD 34s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  459. #counts SARE_HTML_TITLE_1WD 105s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  460. #max SARE_HTML_TITLE_1WD 143s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  461. #counts SARE_HTML_TITLE_1WD 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  462. #max SARE_HTML_TITLE_1WD 1s/0h of 4676 corpus (808s/3868h ft) 05/28/05
  463. #counts SARE_HTML_TITLE_1WD 123s/2h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  464. #counts SARE_HTML_TITLE_1WD 174s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  465. #counts SARE_HTML_TITLE_1WD 53s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
  466. #max SARE_HTML_TITLE_1WD 151s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
  467. rawbody SARE_HTML_TITLE_2WD m'^<title>[a-z]+\s[a-z]+</title>$' # no /i
  468. score SARE_HTML_TITLE_2WD 0.660
  469. describe SARE_HTML_TITLE_2WD strange document title
  470. #hist SARE_HTML_TITLE_2WD Loren Wilton LW_FUNNY_TITLE1
  471. #counts SARE_HTML_TITLE_2WD 85s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
  472. #max SARE_HTML_TITLE_2WD 314s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
  473. #counts SARE_HTML_TITLE_2WD 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  474. #counts SARE_HTML_TITLE_2WD 14s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  475. #max SARE_HTML_TITLE_2WD 15s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  476. #counts SARE_HTML_TITLE_2WD 6s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  477. #max SARE_HTML_TITLE_2WD 19s/1h of 54089 corpus (16916s/37173h JH-3.01) 02/25/05
  478. #counts SARE_HTML_TITLE_2WD 29s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  479. #counts SARE_HTML_TITLE_2WD 18s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  480. #max SARE_HTML_TITLE_2WD 40s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  481. rawbody SARE_HTML_TITLE_DAY /<title>(monday|tuesday|wednesday|thursday|friday)<\/title>/i
  482. describe SARE_HTML_TITLE_DAY HTML contains day of week in title
  483. score SARE_HTML_TITLE_DAY 1.081
  484. #hist SARE_HTML_TITLE_DAY Tim Jackson, May 12 2005
  485. #counts SARE_HTML_TITLE_DAY 184s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  486. #counts SARE_HTML_TITLE_DAY 2s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  487. #counts SARE_HTML_TITLE_DAY 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  488. #max SARE_HTML_TITLE_DAY 25s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  489. #counts SARE_HTML_TITLE_DAY 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  490. #counts SARE_HTML_TITLE_DAY 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
  491. #max SARE_HTML_TITLE_DAY 16s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
  492. rawbody SARE_HTML_TITLE_LWORD /<title>[a-zA-Z]{15,}<\/title>/i
  493. describe SARE_HTML_TITLE_LWORD HTML Title contains looong word
  494. score SARE_HTML_TITLE_LWORD 0.665
  495. #ham SARE_HTML_TITLE_LWORD Rite Aid Single Check Rebates <rebates@rebates.riteaid.com>
  496. #counts SARE_HTML_TITLE_LWORD 485s/31h of 333405 corpus (262498s/70907h RM) 05/12/06
  497. #max SARE_HTML_TITLE_LWORD 732s/40h of 689155 corpus (348140s/341015h RM) 09/18/05
  498. #counts SARE_HTML_TITLE_LWORD 42s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  499. #counts SARE_HTML_TITLE_LWORD 3s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  500. #max SARE_HTML_TITLE_LWORD 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  501. #counts SARE_HTML_TITLE_LWORD 4s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  502. #counts SARE_HTML_TITLE_LWORD 32s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  503. #counts SARE_HTML_TITLE_LWORD 161s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  504. #counts SARE_HTML_TITLE_LWORD 84s/4h of 23074 corpus (17350s/5724h MY) 05/14/06
  505. #max SARE_HTML_TITLE_LWORD 202s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
  506. rawbody SARE_HTML_TITLE_SEX /<title>.{0,15}\bSex.{0,15}<\/title>/i
  507. score SARE_HTML_TITLE_SEX 0.689
  508. #ham SARE_HTML_TITLE_SEX confirmed (2)
  509. #hist SARE_HTML_TITLE_SEX Fred T: FR_TITLE_SEX
  510. #counts SARE_HTML_TITLE_SEX 4s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  511. #max SARE_HTML_TITLE_SEX 167s/2h of 196681 corpus (96193s/100488h RM) 02/22/05
  512. #counts SARE_HTML_TITLE_SEX 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  513. #counts SARE_HTML_TITLE_SEX 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  514. #max SARE_HTML_TITLE_SEX 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  515. #counts SARE_HTML_TITLE_SEX 7s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  516. #counts SARE_HTML_TITLE_SEX 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  517. #max SARE_HTML_TITLE_SEX 14s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  518. #counts SARE_HTML_TITLE_SEX 1s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  519. #counts SARE_HTML_TITLE_SEX 6s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  520. ######## ###################### ##################################################
  521. # <A> and HREF rules
  522. ######## ###################### ##################################################
  523. full SARE_HTML_A_BODY /(?!<body>\n\n<a href)<body>.{0,4}<a href/is
  524. describe SARE_HTML_A_BODY Message body has very strange HTML sequence
  525. score SARE_HTML_A_BODY 0.742
  526. #hist SARE_HTML_A_BODY Fred T: FR_BODY_AHREF
  527. #counts SARE_HTML_A_BODY 419s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
  528. #max SARE_HTML_A_BODY 1527s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
  529. #counts SARE_HTML_A_BODY 20s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  530. #counts SARE_HTML_A_BODY 2s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  531. #max SARE_HTML_A_BODY 92s/3h of 10826 corpus (6364s/4462h CT) 05/28/05
  532. #counts SARE_HTML_A_BODY 30s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  533. #counts SARE_HTML_A_BODY 359s/25h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  534. #counts SARE_HTML_A_BODY 134s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  535. #counts SARE_HTML_A_BODY 10s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  536. #max SARE_HTML_A_BODY 50s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  537. ######## ###################### ##################################################
  538. # Spamsign character sets and fonts
  539. ######## ###################### ##################################################
  540. rawbody SARE_HTML_FONT_EBEF m'</body></font>'i
  541. describe SARE_HTML_FONT_EBEF Message body has very strange HTML sequence
  542. score SARE_HTML_FONT_EBEF 0.658
  543. #ham SARE_HTML_FONT_EBEF verified (1)
  544. #hist SARE_HTML_FONT_EBEF Fred T: FR_BODY_FONT
  545. #counts SARE_HTML_FONT_EBEF 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  546. #max SARE_HTML_FONT_EBEF 44s/1h of 281655 corpus (110173s/171482h RM) 05/05/05
  547. #counts SARE_HTML_FONT_EBEF 36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  548. #max SARE_HTML_FONT_EBEF 123s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  549. #counts SARE_HTML_FONT_EBEF 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
  550. #max SARE_HTML_FONT_EBEF 50s/1h of 31513 corpus (27912s/3601h MY) 03/09/05
  551. #counts SARE_HTML_FONT_EBEF 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  552. rawbody SARE_HTML_FONT_SPL /^\#[a-z0-9]{6}>/i
  553. describe SARE_HTML_FONT_SPL Message uses suspicious font size and/or color
  554. score SARE_HTML_FONT_SPL 0.650
  555. #ham SARE_HTML_FONT_SPL verified (1)
  556. #hist SARE_HTML_FONT_SPL Charles Gregory
  557. #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
  558. #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_FONT_SPLIT for obvious reasons, but not enough to warrant dropping one.
  559. #counts SARE_HTML_FONT_SPL 3s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  560. #max SARE_HTML_FONT_SPL 360s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
  561. #counts SARE_HTML_FONT_SPL 5s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
  562. #counts SARE_HTML_FONT_SPL 1s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  563. #max SARE_HTML_FONT_SPL 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  564. #counts SARE_HTML_FONT_SPL 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  565. #max SARE_HTML_FONT_SPL 53s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  566. #counts SARE_HTML_FONT_SPL 3s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  567. #counts SARE_HTML_FONT_SPL 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  568. #max SARE_HTML_FONT_SPL 1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  569. ######## ###################### ##################################################
  570. # Invalid or Suspicious URI Tests
  571. ######## ###################### ##################################################
  572. rawbody SARE_HTML_URI_ESCWWW /(?:%77w%77|w%77%77|%77%77w)/i
  573. describe SARE_HTML_URI_ESCWWW URI with obfuscated destination
  574. score SARE_HTML_URI_ESCWWW 2.222
  575. #hist SARE_HTML_URI_ESCWWW Fred T: FR_ESCAPE_WWW
  576. #overlap SARE_HTML_URI_ESCWWW Overlaps with SARE_HTML_FSIZE_1ALL
  577. #counts SARE_HTML_URI_ESCWWW 2572s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  578. #counts SARE_HTML_URI_ESCWWW 16s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  579. #counts SARE_HTML_URI_ESCWWW 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  580. #max SARE_HTML_URI_ESCWWW 3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  581. #counts SARE_HTML_URI_ESCWWW 117s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  582. #counts SARE_HTML_URI_ESCWWW 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  583. #max SARE_HTML_URI_ESCWWW 16s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  584. #counts SARE_HTML_URI_ESCWWW 70s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  585. #counts SARE_HTML_URI_ESCWWW 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  586. #max SARE_HTML_URI_ESCWWW 1s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  587. uri SARE_HTML_URI_LHOST30 m*^https?://[a-z0-9]{30}\.*i
  588. describe SARE_HTML_URI_LHOST30 Long unbroken string within URI
  589. score SARE_HTML_URI_LHOST30 1.666
  590. #hist SARE_HTML_URI_LHOST30 Fred T (originally 40,)
  591. #ham SARE_HTML_URI_LHOST30 30: www.rebuildingthevillagefoundation.org
  592. #counts SARE_HTML_URI_LHOST30 301s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  593. #counts SARE_HTML_URI_LHOST30 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  594. #counts SARE_HTML_URI_LHOST30 6s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  595. #counts SARE_HTML_URI_LHOST30 27s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  596. #counts SARE_HTML_URI_LHOST30 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  597. #max SARE_HTML_URI_LHOST30 3s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  598. #counts SARE_HTML_URI_LHOST30 128s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  599. #counts SARE_HTML_URI_LHOST30 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  600. #max SARE_HTML_URI_LHOST30 13s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  601. uri SARE_HTML_URI_LHOST31 m*^https?://[a-z0-9]{31,}\.*i
  602. describe SARE_HTML_URI_LHOST31 Long unbroken string within URI
  603. score SARE_HTML_URI_LHOST31 1.666
  604. #hist SARE_HTML_URI_LHOST31 Fred T (originally 40,)
  605. #ham SARE_HTML_URI_LHOST31 30: www.rebuildingthevillagefoundation.org
  606. #counts SARE_HTML_URI_LHOST31 776s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  607. #max SARE_HTML_URI_LHOST31 840s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
  608. #counts SARE_HTML_URI_LHOST31 90s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  609. #counts SARE_HTML_URI_LHOST31 99s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  610. #counts SARE_HTML_URI_LHOST31 125s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  611. #counts SARE_HTML_URI_LHOST31 456s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  612. #counts SARE_HTML_URI_LHOST31 94s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  613. #counts SARE_HTML_URI_LHOST31 21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  614. uri SARE_HTML_URI_NOMORE m'/nomore\.htm'i
  615. describe SARE_HTML_URI_NOMORE URI to page name which suggests spammer's page
  616. score SARE_HTML_URI_NOMORE 0.906
  617. #ham SARE_HTML_URI_NOMORE http://www.afsc.org/nomore.htm; Student Peace Action Network (SPAN)
  618. #counts SARE_HTML_URI_NOMORE 2s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  619. #max SARE_HTML_URI_NOMORE 1200s/0h of 92209 corpus (74874s/17335h RM) 01/17/04
  620. #counts SARE_HTML_URI_NOMORE 7s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  621. #counts SARE_HTML_URI_NOMORE 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  622. #max SARE_HTML_URI_NOMORE 69s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  623. #counts SARE_HTML_URI_NOMORE 54s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  624. #max SARE_HTML_URI_NOMORE 68s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  625. #counts SARE_HTML_URI_NOMORE 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  626. #max SARE_HTML_URI_NOMORE 4s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  627. uri SARE_HTML_URI_OUTPHP /\bout\.php/i
  628. describe SARE_HTML_URI_OUTPHP text uri to unsubscribe link
  629. score SARE_HTML_URI_OUTPHP 0.907
  630. #addsto SARE_HTML_URI_OUTPHP SARE_HTML_URI_OPTPHP
  631. #ham SARE_HTML_URI_OUTPHP Bravenet ad attached to reply form email
  632. #counts SARE_HTML_URI_OUTPHP 80s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
  633. #max SARE_HTML_URI_OUTPHP 144s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  634. #counts SARE_HTML_URI_OUTPHP 88s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  635. #counts SARE_HTML_URI_OUTPHP 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  636. #max SARE_HTML_URI_OUTPHP 21s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  637. #counts SARE_HTML_URI_OUTPHP 4s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  638. #counts SARE_HTML_URI_OUTPHP 13s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  639. #max SARE_HTML_URI_OUTPHP 25s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  640. #counts SARE_HTML_URI_OUTPHP 58s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  641. #counts SARE_HTML_URI_OUTPHP 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  642. #max SARE_HTML_URI_OUTPHP 17s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  643. uri SARE_HTML_URI_PARTID m|/[\?\&]partid=|i
  644. describe SARE_HTML_URI_PARTID Partner Id in URL
  645. score SARE_HTML_URI_PARTID 0.166
  646. #hist SARE_HTML_URI_PARTID Loren Wilton <lwilton@earthlink.net>, Sat, 3 Apr 2004 20:29:32 -0800
  647. #counts SARE_HTML_URI_PARTID 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  648. #max SARE_HTML_URI_PARTID 1264s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
  649. #counts SARE_HTML_URI_PARTID 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  650. #max SARE_HTML_URI_PARTID 37s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  651. #counts SARE_HTML_URI_PARTID 81s/6h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  652. #max SARE_HTML_URI_PARTID 302s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  653. #counts SARE_HTML_URI_PARTID 3s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  654. #max SARE_HTML_URI_PARTID 26s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  655. ######## ###################### ##################################################
  656. # <!-- Comment tag tests
  657. ######## ###################### ##################################################
  658. meta SARE_HTML_CMT_CNTR __SARE_HTML_CMT_CNTR
  659. describe SARE_HTML_CMT_CNTR Message has a center followed by a comment
  660. score SARE_HTML_CMT_CNTR 0.676
  661. #hist SARE_HTML_CMT_CNTR Carl F: CRM_CENTER_COM
  662. #ham SARE_HTML_CMT_CNTR Strategic Developer <strategicdeveloper@newsletter.infoworld.com>, Thursday, January 27, 2005, 10:57:37 AM
  663. #counts SARE_HTML_CMT_CNTR 9s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
  664. #max SARE_HTML_CMT_CNTR 173s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
  665. #counts SARE_HTML_CMT_CNTR 1s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  666. #counts SARE_HTML_CMT_CNTR 53s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  667. #max SARE_HTML_CMT_CNTR 196s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
  668. #counts SARE_HTML_CMT_CNTR 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  669. #counts SARE_HTML_CMT_CNTR 21s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
  670. #counts SARE_HTML_CMT_CNTR 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  671. #counts SARE_HTML_CMT_CNTR 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  672. #max SARE_HTML_CMT_CNTR 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  673. ######## ###################### ##################################################
  674. # Image tag tests
  675. ######## ###################### ##################################################
  676. rawbody SARE_HTML_IMG_2AT /IMG\s*SRC\s*=s*"cid:part1\.\d{8}.\d{8}\@[a-z]+\@[\w\.]+"/is
  677. describe SARE_HTML_IMG_2AT strange internal image link
  678. score SARE_HTML_IMG_2AT 1.216
  679. #hist SARE_HTML_IMG_2AT Loren Wilton: LW_DOUBLE_AT
  680. #hist SARE_HTML_IMG_2AT Apr 2 2005, Bob Menschel, Added spaces around "="
  681. #hist SARE_HTML_IMG_2AT Apr 16 2005, Bob Menschel, replaced spaces with \s
  682. #counts SARE_HTML_IMG_2AT 328s/13h of 333405 corpus (262498s/70907h RM) 05/12/06
  683. #max SARE_HTML_IMG_2AT 3648s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  684. #counts SARE_HTML_IMG_2AT 222s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
  685. #counts SARE_HTML_IMG_2AT 69s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  686. #counts SARE_HTML_IMG_2AT 828s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  687. #counts SARE_HTML_IMG_2AT 57s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  688. #counts SARE_HTML_IMG_2AT 280s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  689. #counts SARE_HTML_IMG_2AT 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  690. #max SARE_HTML_IMG_2AT 105s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  691. ######## ###################### ##################################################
  692. # <tag ... ALT= ...> tag tests
  693. ######## ###################### ##################################################
  694. ######## ###################### ##################################################
  695. # Javascript and object tests
  696. ######## ###################### ##################################################
  697. full SARE_HTML_IMG_ONLY m'<(?:html|body).{1,200}<a.{12,145}<img.{11,200}</(?:body|html)>'is
  698. describe SARE_HTML_IMG_ONLY Short HTML msg, IMG and A HREF, maybe naught else
  699. score SARE_HTML_IMG_ONLY 1.666
  700. #ham SARE_HTML_IMG_ONLY Verified (image-only ham)
  701. #hist SARE_HTML_IMG_ONLY Originally Fred T: FVGT_m_IMAGE_ONLY
  702. #hist SARE_HTML_IMG_ONLY Enhanced May 29 2004 by Bob Menschel, incorporate all tests in one regex
  703. #ham SARE_HTML_IMG_ONLY 5: Oct 2002 Yahoo webmail with automatically inserted FAULTY flamingtext.com advertisement
  704. #overlap SARE_HTML_IMG_ONLY Rules that completely overlap this one: SARE_HTML_PILL3, SARE_HTML_PILL4
  705. #counts SARE_HTML_IMG_ONLY 14904s/16h of 333405 corpus (262498s/70907h RM) 05/12/06
  706. #counts SARE_HTML_IMG_ONLY 70s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  707. #counts SARE_HTML_IMG_ONLY 154s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  708. #counts SARE_HTML_IMG_ONLY 4131s/6h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  709. #counts SARE_HTML_IMG_ONLY 261s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  710. #max SARE_HTML_IMG_ONLY 553s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  711. #counts SARE_HTML_IMG_ONLY 4730s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  712. #counts SARE_HTML_IMG_ONLY 7s/7h of 23074 corpus (17350s/5724h MY) 05/14/06
  713. #max SARE_HTML_IMG_ONLY 141s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  714. rawbody SARE_HTML_JVS_FLASH m'codebase="https://download\.macromedia\.com/pub/shockwave'i
  715. describe SARE_HTML_JVS_FLASH Tries to load flash animation
  716. score SARE_HTML_JVS_FLASH 1.246
  717. #ham SARE_HTML_JVS_FLASH verified (1) cbs.marketwatch.com
  718. #hist SARE_HTML_JVS_FLASH Mike Kuentz <JunkEmail@rapidigm.com>
  719. #counts SARE_HTML_JVS_FLASH 444s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
  720. #counts SARE_HTML_JVS_FLASH 33s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  721. #counts SARE_HTML_JVS_FLASH 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  722. #max SARE_HTML_JVS_FLASH 4s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  723. #counts SARE_HTML_JVS_FLASH 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  724. #max SARE_HTML_JVS_FLASH 7s/0h of 29366 corpus (5882s/23484h JH) 07/23/04 TM2 SA3.0-pre2
  725. #counts SARE_HTML_JVS_FLASH 53s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  726. #counts SARE_HTML_JVS_FLASH 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  727. #max SARE_HTML_JVS_FLASH 28s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  728. ######## ###################### ##################################################
  729. # Obviously invalid html tag
  730. ######## ###################### ##################################################
  731. header __CT_TEXT_PLAIN Content-Type =~ /^text\/plain\b/i
  732. rawbody __SARE_HTML_INV_TAG /\w<\!\w{18,60}>\w/i
  733. rawbody __SARE_HTML_INV_TAG2 m'\w</?(?!(?:blockquote|optiongroup|plaintext|fontfamily|underline|cf.+))[a-z]{9,17}>\w'
  734. rawbody __SARE_HTML_INV_TAG3 m'\w<[/!]?(?!cf.+)\w{11,20}>\w'i
  735. rawbody __SARE_HTML_INV_TAG4 m'\w(?!</?cf.{1,8}>)<[/!]?[bcdfghjklmnpqrstvwxz]{5,9}>\w'i
  736. meta SARE_HTML_INV_TAG ( __SARE_HTML_INV_TAG || __SARE_HTML_INV_TAG2 || __SARE_HTML_INV_TAG3 || __SARE_HTML_INV_TAG4 ) && !__CT_TEXT_PLAIN
  737. describe SARE_HTML_INV_TAG Message contains invalid HTML tag
  738. score SARE_HTML_INV_TAG 2.222
  739. #ham SARE_HTML_INV_TAG Monotone source code included within body of email
  740. #hist SARE_HTML_INV_TAG Combined three invalid-tag rules into one, added \w front and back, to test for
  741. #hist SARE_HTML_INV_TAG obfuscation of surrounding text, added tests against __CT_TEXT_PLAIN to give
  742. #hist SARE_HTML_INV_TAG higher scores to HTML email than to plain text email. Enhancements due to
  743. #hist SARE_HTML_INV_TAG ideas suggested by Jesse Houwing, Nicolas Riendeau, and Bob Menschel
  744. #counts SARE_HTML_INV_TAG 36s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  745. #max SARE_HTML_INV_TAG 5650s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  746. #counts SARE_HTML_INV_TAG 8s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  747. #max SARE_HTML_INV_TAG 66s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  748. #counts SARE_HTML_INV_TAG 21s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  749. #counts SARE_HTML_INV_TAG 386s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  750. #max SARE_HTML_INV_TAG 930s/0h of 38766 corpus (15284s/23482h JH-SA3.0rc1) 09/03/04
  751. #counts SARE_HTML_INV_TAG 17s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  752. #counts SARE_HTML_INV_TAG 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  753. #max SARE_HTML_INV_TAG 952s/0h of 19469 corpus (16883s/2586h MY) 09/03/04
  754. ######## ###################### ##################################################
  755. # Paragraphs, breaks, and spacings
  756. ######## ###################### ##################################################
  757. ######## ###################### ##################################################
  758. # Suspicious tag combinations
  759. ######## ###################### ##################################################
  760. rawbody SARE_HTML_CNTR_TBL /<center>\s*<table>/im
  761. describe SARE_HTML_CNTR_TBL Contains centred table
  762. score SARE_HTML_CNTR_TBL 1.666
  763. #ham SARE_HTML_CNTR_TBL verified (1)
  764. #hist SARE_HTML_CNTR_TBL Tim Jackson, May 25 2005
  765. #counts SARE_HTML_CNTR_TBL 745s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  766. #counts SARE_HTML_CNTR_TBL 1188s/2h of 56024 corpus (51686s/4338h AxB2) 05/15/06
  767. #counts SARE_HTML_CNTR_TBL 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  768. #max SARE_HTML_CNTR_TBL 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  769. #counts SARE_HTML_CNTR_TBL 27s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  770. #counts SARE_HTML_CNTR_TBL 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  771. #counts SARE_HTML_CNTR_TBL 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  772. #counts SARE_HTML_CNTR_TBL 32s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  773. #max SARE_HTML_CNTR_TBL 57s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  774. rawbody __SARE_HTML_SINGLET1 /> [a-z] </i
  775. rawbody __SARE_HTML_SINGLET2 />[a-z]</i
  776. meta SARE_HTML_SINGLETS __SARE_HTML_SINGLET1 && __SARE_HTML_SINGLET2
  777. describe SARE_HTML_SINGLETS spam pattern in HTML email
  778. score SARE_HTML_SINGLETS 1.666
  779. #hist SARE_HTML_SINGLETS Robert Brooks, March 2006
  780. #ham SARE_HTML_SINGLETS verified (amateur webmaster sample page attached to email)
  781. #counts SARE_HTML_SINGLETS 26498s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
  782. #counts SARE_HTML_SINGLETS 3660s/2h of 55981 corpus (51658s/4323h AxB2) 05/15/06
  783. #counts SARE_HTML_SINGLETS 130s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
  784. #counts SARE_HTML_SINGLETS 2016s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
  785. #counts SARE_HTML_SINGLETS 65s/2h of 42253 corpus (34139s/8114h FVGT) 05/15/06
  786. #counts SARE_HTML_SINGLETS 5798s/1h of 106183 corpus (72941s/33242h ML) 05/14/06
  787. #counts SARE_HTML_SINGLETS 20s/1h of 22939 corpus (17232s/5707h MY) 05/14/06
  788. ######## ###################### ##################################################
  789. # Useless tags (tag structures that do nothing)
  790. # Largely submitted by Matt Yackley, with contributions by
  791. # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
  792. ######## ###################### ##################################################
  793. rawbody SARE_HTML_USL_FONT m'^<FONT[^>]{0,20}></FONT><'
  794. describe SARE_HTML_USL_FONT Another spam attempt
  795. score SARE_HTML_USL_FONT 0.797
  796. #hist SARE_HTML_USL_FONT Loren Wilton Apr 11 2005
  797. #counts SARE_HTML_USL_FONT 54s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
  798. #max SARE_HTML_USL_FONT 5192s/1h of 269462 corpus (128310s/141152h RM) 06/17/05
  799. #counts SARE_HTML_USL_FONT 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  800. #max SARE_HTML_USL_FONT 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  801. #counts SARE_HTML_USL_FONT 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  802. #max SARE_HTML_USL_FONT 9s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
  803. #counts SARE_HTML_USL_FONT 7s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  804. #counts SARE_HTML_USL_FONT 32s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  805. #counts SARE_HTML_USL_FONT 81s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
  806. #max SARE_HTML_USL_FONT 1047s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
  807. rawbody SARE_HTML_USL_OBFU m'\w<(\w+)(?: [^>]*)?></\1[^>]*>\w'
  808. describe SARE_HTML_USL_OBFU Message body has very strange HTML sequence
  809. score SARE_HTML_USL_OBFU 1.666
  810. #match SARE_HTML_USL_OBFU partialword<tag></tag>restofword
  811. #hist SARE_HTML_USL_OBFU Created by Bob Menschel Aug 12 2004
  812. #counts SARE_HTML_USL_OBFU 393s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
  813. #max SARE_HTML_USL_OBFU 520s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
  814. #counts SARE_HTML_USL_OBFU 14s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
  815. #counts SARE_HTML_USL_OBFU 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  816. #max SARE_HTML_USL_OBFU 16s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  817. #counts SARE_HTML_USL_OBFU 88s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  818. #counts SARE_HTML_USL_OBFU 298s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  819. #max SARE_HTML_USL_OBFU 457s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  820. #counts SARE_HTML_USL_OBFU 111s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  821. #counts SARE_HTML_USL_OBFU 21s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  822. #max SARE_HTML_USL_OBFU 148s/0h of 17145 corpus (14677s/2468h MY) 08/12/04
  823. ######## ###################### ##################################################
  824. # Miscellaneous tag tests
  825. ######## ###################### ##################################################
  826. # EOF
  827. # SARE HTML Ruleset for SpamAssassin - ruleset 2
  828. # Version: 01.03.10
  829. # Created: 2004-03-31
  830. # Modified: 2006-06-03
  831. # Usage instructions, documentation, and change history in 70_sare_html0.cf
  832. #@@# Revision History: Full Revision History stored in 70_sare_html.log
  833. #@@# 01.03.09: May ?? 2006
  834. #@@# Minor score tweaks based on recent mass-checks
  835. #@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU
  836. #@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL
  837. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1
  838. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2
  839. #@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3
  840. #@@# Moved file 0 to file 2: SARE_HTML_POB1200
  841. #@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD
  842. #@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN
  843. #@@# Moved file 0 to file 2: SARE_HTML_URI_OFF
  844. #@@# Moved file 0 to file 2: SARE_HTML_USL_B7
  845. #@@# Moved file 0 to file 2: SARE_HTML_USL_B9
  846. #@@# Moved file 0 to file 2: SARE_PHISH_HTML_01
  847. #@@# 01.03.10: June 3 2006
  848. #@@# Minor score tweaks based on recent mass-checks
  849. #@@# Moved file 1 to 2: SARE_HTML_BR_MANY
  850. #@@# Moved file 1 to 2: SARE_HTML_ONE_LINE2
  851. #@@# Moved file 1 to 2: SARE_HTML_URI_OC
  852. # License: Artistic - see http://www.rulesemporium.com/license.txt
  853. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  854. # Current Home: http://www.rulesemporium.com/rules/70_sare_html2.cf
  855. #
  856. ######## ###################### ##################################################
  857. rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
  858. rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
  859. rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
  860. rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
  861. rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
  862. rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
  863. rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
  864. rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
  865. rawbody __SARE_HTML_HBODY m'<html><body>'i
  866. rawbody __SARE_HTML_BEHTML m'<body></html>'i
  867. rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
  868. rawbody __SARE_HTML_EFONT m'^</font>'i
  869. rawbody __SARE_HTML_EHEB m'^</html></body>'i
  870. rawbody __SARE_HTML_CMT_CNTR /<center><!--/
  871. ######## ###################### ##################################################
  872. # <HTML> and <BODY> tag spamsign
  873. ######## ###################### ##################################################
  874. rawbody SARE_HTML_EHTML_OBFU m'<\s*/\s+(?!html)[HTmL\s]{4,}>'i
  875. describe SARE_HTML_EHTML_OBFU Phoney tag
  876. score SARE_HTML_EHTML_OBFU 1.111
  877. #stype SARE_HTML_EHTML_OBFU spamp
  878. #hist SARE_HTML_EHTML_OBFU Loren Wilton, June 2005
  879. #counts SARE_HTML_EHTML_OBFU 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  880. #max SARE_HTML_EHTML_OBFU 30s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
  881. #counts SARE_HTML_EHTML_OBFU 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  882. #counts SARE_HTML_EHTML_OBFU 0s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
  883. #counts SARE_HTML_EHTML_OBFU 21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  884. #counts SARE_HTML_EHTML_OBFU 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  885. #max SARE_HTML_EHTML_OBFU 34s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  886. ######## ###################### ##################################################
  887. # Spamsign character sets and fonts
  888. ######## ###################### ##################################################
  889. rawbody SARE_HTML_COLOR_D /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*\)[^>]*>/i
  890. describe SARE_HTML_COLOR_D BAD STYLE: color: too light (rgb(%))
  891. score SARE_HTML_COLOR_D 0.100
  892. #hist SARE_HTML_COLOR_D From Jesse Houwing May 14 2004
  893. #counts SARE_HTML_COLOR_D 0s/0h of 98435 corpus (76828s/21607h RM) 05/14/04
  894. #counts SARE_HTML_COLOR_D 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  895. rawbody SARE_HTML_POB1200 /width="599" bgColor="\#9999FF"/i
  896. describe SARE_HTML_POB1200 Used by POB1200 Orangestad spammer
  897. score SARE_HTML_POB1200 1.666
  898. #stype SARE_HTML_POB1200 spamp
  899. #hist SARE_HTML_POB1200 Jennifer Wheeler <jennifer.sare@nxtek.net> May 17 2004
  900. #counts SARE_HTML_POB1200 0s/0h of 196681 corpus (96193s/100488h RM) 02/22/05
  901. #max SARE_HTML_POB1200 414s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  902. #counts SARE_HTML_POB1200 1s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  903. #max SARE_HTML_POB1200 18s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  904. #counts SARE_HTML_POB1200 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  905. #max SARE_HTML_POB1200 42s/0h of 18153 corpus (15872s/2281h MY) 05/18/04
  906. #counts SARE_HTML_POB1200 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  907. ######## ###################### ##################################################
  908. # <FRAME> Tag Tests
  909. ######## ###################### ##################################################
  910. rawbody SARE_HTML_NOFRAMES /<frame><noframes>\w*<\/noframes><\/frame>/i
  911. describe SARE_HTML_NOFRAMES Body appears to hide anti-anti-spam text in frame
  912. score SARE_HTML_NOFRAMES 1.000
  913. #counts SARE_HTML_NOFRAMES 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  914. #max SARE_HTML_NOFRAMES 96 spam, 0 ham, Sep 5 2003
  915. #counts SARE_HTML_NOFRAMES 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  916. ######## ###################### ##################################################
  917. # Invalid or Suspicious URI Tests
  918. ######## ###################### ##################################################
  919. rawbody SARE_HTML_URI_GBYE />Good Bye<\/a>/i
  920. describe SARE_HTML_URI_GBYE text has URL to spammer's unsubscribe link
  921. score SARE_HTML_URI_GBYE 0.100
  922. #counts SARE_HTML_URI_GBYE 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  923. #counts SARE_HTML_URI_GBYE 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  924. #overlap SARE_HTML_URI_HIDADD Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
  925. rawbody SARE_HTML_URI_HIDADD /(?:\&\~c\&o\&m|\&\~n\&e\&t)/i
  926. describe SARE_HTML_URI_HIDADD URI with obfuscated destination
  927. score SARE_HTML_URI_HIDADD 1.666
  928. #stype SARE_HTML_URI_HIDADD spamp
  929. #hist SARE_HTML_URI_HIDADD Fred T: FR_HIDDEN_ADDY
  930. #overlap SARE_HTML_URI_HIDADD Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
  931. #counts SARE_HTML_URI_HIDADD 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  932. #max SARE_HTML_URI_HIDADD 817s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
  933. #counts SARE_HTML_URI_HIDADD 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  934. #max SARE_HTML_URI_HIDADD 2s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
  935. #counts SARE_HTML_URI_HIDADD 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  936. #max SARE_HTML_URI_HIDADD 1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  937. #counts SARE_HTML_URI_HIDADD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  938. uri SARE_HTML_URI_HIDE1 /:ac=[A-Z,a-z,0-9,@,!,;]+/
  939. describe SARE_HTML_URI_HIDE1 URI attempts to hide destination domain
  940. score SARE_HTML_URI_HIDE1 0.100
  941. #counts SARE_HTML_URI_HIDE1 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  942. #counts SARE_HTML_URI_HIDE1 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  943. uri SARE_HTML_URI_LOGOGEN m{/logogen\.img\?}i
  944. score SARE_HTML_URI_LOGOGEN 1.666
  945. describe SARE_HTML_URI_LOGOGEN Uses some logo generation software
  946. #hist SARE_HTML_URI_LOGOGEN Jesse Houwing, Aug 19 2004
  947. #counts SARE_HTML_URI_LOGOGEN 0s/0h of 175738 corpus (98979s/76759h RM) 02/14/05
  948. #max SARE_HTML_URI_LOGOGEN 6s/0h of 65858 corpus (40621s/25237h RM) 08/19/04
  949. #counts SARE_HTML_URI_LOGOGEN 319s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  950. #max SARE_HTML_URI_LOGOGEN 453s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  951. #counts SARE_HTML_URI_LOGOGEN 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  952. #max SARE_HTML_URI_LOGOGEN 48s/0h of 18647 corpus (16116s/2531h MY) 08/25/04
  953. #counts SARE_HTML_URI_LOGOGEN 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  954. #max SARE_HTML_URI_LOGOGEN 7s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  955. uri SARE_HTML_URI_OC /\?oc=\d{4,10}/
  956. describe SARE_HTML_URI_OC Possible spammer sign in URL
  957. score SARE_HTML_URI_OC 1.666
  958. #hist SARE_HTML_URI_OC LW_URI_OC
  959. #counts SARE_HTML_URI_OC 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  960. #max SARE_HTML_URI_OC 440s/0h of 89461 corpus (67464s/21997h RM) 05/29/04
  961. #counts SARE_HTML_URI_OC 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  962. #max SARE_HTML_URI_OC 17s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  963. #counts SARE_HTML_URI_OC 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  964. #max SARE_HTML_URI_OC 85s/0h of 13454 corpus (11339s/2115h MY) 06/02/04
  965. uri SARE_HTML_URI_OFF /http.{5,35}\boff\.(?:htm|html|php|asp|pl|cgi|jsp)\b/i
  966. describe SARE_HTML_URI_OFF URI to page name which suggests spammer's page
  967. score SARE_HTML_URI_OFF 2.222
  968. #hist SARE_HTML_URI_OFF FR_PAGE_OFF
  969. #counts SARE_HTML_URI_OFF 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  970. #max SARE_HTML_URI_OFF 2619s/0h of 109180 corpus (88746s/20434h RM) 04/09/04
  971. #counts SARE_HTML_URI_OFF 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  972. #max SARE_HTML_URI_OFF 89s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
  973. #counts SARE_HTML_URI_OFF 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  974. #counts SARE_HTML_URI_OFF 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  975. #max SARE_HTML_URI_OFF 39s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  976. ######## ###################### ##################################################
  977. # Header tags
  978. ######## ###################### ##################################################
  979. rawbody SARE_HTML_HEAD_AFFIL /\<h[0-9]\>.{2,30}\/.{1,3}affiliate.{1,20}\<\/h[0-9]\>/i
  980. describe SARE_HTML_HEAD_AFFIL Affiliate in BOLD
  981. score SARE_HTML_HEAD_AFFIL 0.744
  982. #hist SARE_HTML_HEAD_AFFIL Matt Yackley, Apr 15 2005
  983. #counts SARE_HTML_HEAD_AFFIL 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
  984. #max SARE_HTML_HEAD_AFFIL 23s/0h of 292246 corpus (119174s/173072h RM) 04/15/05
  985. #counts SARE_HTML_HEAD_AFFIL 0s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  986. #max SARE_HTML_HEAD_AFFIL 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  987. #counts SARE_HTML_HEAD_AFFIL 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  988. #counts SARE_HTML_HEAD_AFFIL 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  989. #max SARE_HTML_HEAD_AFFIL 10s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  990. ######## ###################### ##################################################
  991. # Suspicious tag combinations
  992. ######## ###################### ##################################################
  993. rawbody SARE_HTML_ONE_LINE2 m'<body><p><a href="http://\w+\.\w+\.info/\?[\w\.]+"><IMG SRC="cid:[\w\@\.]+" border="0" ALT=""></a>'
  994. describe SARE_HTML_ONE_LINE2 standard spam formatting
  995. score SARE_HTML_ONE_LINE2 1.111
  996. #stype SARE_HTML_ONE_LINE2 spamp
  997. #hist SARE_HTML_ONE_LINE2 Loren Wilton, LW_SINGLELINE4 Sep 5 2004
  998. #counts SARE_HTML_ONE_LINE2 0s/0h of 281655 corpus (110173s/171482h RM) 05/05/05
  999. #max SARE_HTML_ONE_LINE2 22s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  1000. #counts SARE_HTML_ONE_LINE2 1s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1001. #counts SARE_HTML_ONE_LINE2 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1002. #max SARE_HTML_ONE_LINE2 5s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  1003. full SARE_HTML_ONE_LINE3 m'\n<html><body>\n<center>.{0,140}</center>\n</body></html>\n'
  1004. describe SARE_HTML_ONE_LINE3 Another single-line centered HTML message
  1005. score SARE_HTML_ONE_LINE3 1.256
  1006. #hist SARE_HTML_ONE_LINE3 Loren Wilton: LW_SINGLELINE4
  1007. #counts SARE_HTML_ONE_LINE3 0s/0h of 281271 corpus (109792s/171479h RM) 05/05/05
  1008. #max SARE_HTML_ONE_LINE3 64s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
  1009. #counts SARE_HTML_ONE_LINE3 61s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  1010. #counts SARE_HTML_ONE_LINE3 0s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
  1011. #counts SARE_HTML_ONE_LINE3 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  1012. #max SARE_HTML_ONE_LINE3 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  1013. rawbody SARE_HTML_LEAKTHRU1 m'^<BODY><p><(\w+)></(?:\1)><A href=\"[^"]+\"><(\w+)></(?:\2)>$'
  1014. score SARE_HTML_LEAKTHRU1 1.111
  1015. #stype SARE_HTML_LEAKTHRU1 spamp
  1016. #hist SARE_HTML_LEAKTHRU1 Loren Wilton: LW_LEAKTHRU
  1017. describe SARE_HTML_LEAKTHRU1 Another image-only spam
  1018. #counts SARE_HTML_LEAKTHRU1 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
  1019. #max SARE_HTML_LEAKTHRU1 72s/0h of 196642 corpus (96193s/100449h RM) 02/22/05
  1020. #counts SARE_HTML_LEAKTHRU1 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  1021. #counts SARE_HTML_LEAKTHRU1 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  1022. #max SARE_HTML_LEAKTHRU1 22s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  1023. #counts SARE_HTML_LEAKTHRU1 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  1024. rawbody SARE_HTML_LEAKTHRU2 m'^<BODY><p><(\w+)(?:\s[\w\=]+)?></(?:\1)><A href=\"[^"]+\"><(\w+)(?:\s[\w\=]+)?></(?:\2)>$'
  1025. score SARE_HTML_LEAKTHRU2 1.666
  1026. #stype SARE_HTML_LEAKTHRU2 spamp
  1027. #hist SARE_HTML_LEAKTHRU2 Loren Wilton: LW_LEAKTHRU1
  1028. describe SARE_HTML_LEAKTHRU2 Another image-only spam
  1029. #counts SARE_HTML_LEAKTHRU2 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
  1030. #max SARE_HTML_LEAKTHRU2 178s/0h of 283600 corpus (129945s/153655h RM) 03/08/05
  1031. #counts SARE_HTML_LEAKTHRU2 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  1032. #counts SARE_HTML_LEAKTHRU2 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  1033. #max SARE_HTML_LEAKTHRU2 48s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  1034. #counts SARE_HTML_LEAKTHRU2 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  1035. ######## ###################### ##################################################
  1036. # Useless tags (tag structures that do nothing)
  1037. # Largely submitted by Matt Yackley, with contributions by
  1038. # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
  1039. ######## ###################### ##################################################
  1040. rawbody SARE_HTML_USL_B7 /(<b><\/b>.{1,5}){7,8}/i
  1041. describe SARE_HTML_USL_B7 Multiple <b></b> (7-8)
  1042. score SARE_HTML_USL_B7 0.100
  1043. #counts SARE_HTML_USL_B7 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  1044. #max SARE_HTML_USL_B7 105s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1045. #counts SARE_HTML_USL_B7 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1046. #counts SARE_HTML_USL_B7 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1047. rawbody SARE_HTML_USL_B9 /(<b><\/b>.{1,5}){9,10}/i
  1048. describe SARE_HTML_USL_B9 Multiple <b></b> (9-10)
  1049. score SARE_HTML_USL_B9 0.100
  1050. #counts SARE_HTML_USL_B9 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  1051. #max SARE_HTML_USL_B9 99s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1052. #counts SARE_HTML_USL_B9 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1053. #counts SARE_HTML_USL_B9 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1054. ######## ###################### ##################################################
  1055. # <tag ... ALT= ...> tag tests
  1056. ######## ###################### ##################################################
  1057. ######## ###################### ##################################################
  1058. # <!-- Comment tag tests
  1059. ######## ###################### ##################################################
  1060. rawbody SARE_HTML_CMT_MONEY /<\!--\${1,10}-->/i
  1061. describe SARE_HTML_CMT_MONEY HTML Comment seems to mention money
  1062. score SARE_HTML_CMT_MONEY 0.100
  1063. #counts SARE_HTML_CMT_MONEY 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  1064. #counts SARE_HTML_CMT_MONEY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1065. ######## ###################### ##################################################
  1066. # Image tag tests
  1067. ######## ###################### ##################################################
  1068. rawbody SARE_HTML_GIF_NUM /\.gif\d{2,}/i
  1069. describe SARE_HTML_GIF_NUM HTML contains tracking numbers after .gif
  1070. score SARE_HTML_GIF_NUM 0.100
  1071. #counts SARE_HTML_GIF_NUM 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  1072. #counts SARE_HTML_GIF_NUM 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1073. ######## ###################### ##################################################
  1074. # Paragraphs, breaks, and spacings
  1075. ######## ###################### ##################################################
  1076. rawbody SARE_HTML_BR_MANY /<br>{5}/i
  1077. describe SARE_HTML_BR_MANY Too many sequential identical HTML tags
  1078. score SARE_HTML_BR_MANY 0.555
  1079. #stype SARE_HTML_BR_MANY spamp
  1080. #counts SARE_HTML_BR_MANY 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1081. #max SARE_HTML_BR_MANY 2s/0h of 258858 corpus (114246s/144612h RM) 05/27/05
  1082. #counts SARE_HTML_BR_MANY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1083. #counts SARE_HTML_BR_MANY 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1084. #counts SARE_HTML_BR_MANY 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  1085. rawbody __SARE_HTML_MANY_BR05 /<br>\s*<br>\s*<br>\s*<br>\s*<br>\s*<br>/i
  1086. meta SARE_HTML_MANY_BR05 __SARE_HTML_MANY_BR05 && HTML_MESSAGE
  1087. describe SARE_HTML_MANY_BR05 Tooo many <br>'s!
  1088. score SARE_HTML_MANY_BR05 0.500
  1089. #hist SARE_HTML_MANY_BR05 Contrib by Matt Keller June 7 2004
  1090. #note SARE_HTML_MANY_BR05 Remove HTML_MESSAGE test increases spam 4% but doubles ham
  1091. #hist SARE_HTML_MANY_BR05 this and SARE_HTML_MANY_BR10 obsolete SARE_HTML_TD_BR4 = FR_WICKED_SPAM_??
  1092. #counts SARE_HTML_MANY_BR05 0s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
  1093. #alone SARE_HTML_MANY_BR05 2051s/43h of 66351 corpus (40971s/25380h RM) 08/21/04
  1094. #counts SARE_HTML_MANY_BR05 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1095. #max SARE_HTML_MANY_BR05 755s/2h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1096. #counts SARE_HTML_MANY_BR05 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  1097. ######## ###################### ##################################################
  1098. # Javascript and object tests
  1099. ######## ###################### ##################################################
  1100. rawbody SARE_HTML_JVS_POPUP /<body onload \= \"window\.open/i
  1101. describe SARE_HTML_JVS_POPUP Bad HTML form. Tries to load a javascript pop up.
  1102. score SARE_HTML_JVS_POPUP 0.100
  1103. #counts SARE_HTML_JVS_POPUP 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
  1104. #counts SARE_HTML_JVS_POPUP 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
  1105. ######## ###################### ##################################################
  1106. # Tests destined for other rule sets
  1107. ######## ###################### ##################################################
  1108. full __SARE_PHISH_HTML_01a m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
  1109. rawbody __SARE_PHISH_HTML_01b m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
  1110. meta SARE_PHISH_HTML_01 __SARE_PHISH_HTML_01a || __SARE_PHISH_HTML_01b
  1111. describe SARE_PHISH_HTML_01 Hiding actual site with fake secure site!
  1112. score SARE_PHISH_HTML_01 2.500
  1113. #stype SARE_PHISH_HTML_01 spamgg # phish
  1114. #hist SARE_PHISH_HTML_01 Loren Wilton: LW_MOUSEMOVE
  1115. #counts SARE_PHISH_HTML_01 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
  1116. #max SARE_PHISH_HTML_01 17s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
  1117. #counts SARE_PHISH_HTML_01 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1118. #max SARE_PHISH_HTML_01 5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  1119. #counts SARE_PHISH_HTML_01 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  1120. #max SARE_PHISH_HTML_01 6s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
  1121. #counts SARE_PHISH_HTML_01 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  1122. # EOF
  1123. # SARE HTML Ruleset for SpamAssassin - ruleset 3
  1124. # Version: 01.03.10
  1125. # Created: 2004-03-31
  1126. # Modified: 2006-06-03
  1127. # Usage instructions, documentation, and change history in 70_sare_html0.cf
  1128. #@@# Revision History: Full Revision History stored in 70_sare_html.log
  1129. #@@# 01.03.10: June 3 2006
  1130. #@@# Minor score tweaks based on recent mass-checks
  1131. #@@# Modified "rule has been moved" meta flags
  1132. #@@# Archive: SARE_HTML_URI_OPTPHP
  1133. #@@# Moved file 1 to 3: SARE_HTML_URI_DEFASP
  1134. # License: Artistic - see http://www.rulesemporium.com/license.txt
  1135. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  1136. # Current Home: http://www.rulesemporium.com/rules/70_sare_html3.cf
  1137. #
  1138. ######## ###################### ##################################################
  1139. ######## ###################### ##################################################
  1140. # Rules renamed or moved
  1141. ######## ###################### ##################################################
  1142. meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
  1143. meta SARE_HTML_URI_OPTPHP __SARE_HEAD_FALSE
  1144. ######## ###################### ##################################################
  1145. body __NONEMPTY_BODY /\S/
  1146. header __TOCC_EXISTS exists:ToCc
  1147. rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
  1148. rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
  1149. rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
  1150. rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
  1151. rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
  1152. rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
  1153. rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
  1154. rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
  1155. rawbody __SARE_HTML_HBODY m'<html><body>'i
  1156. rawbody __SARE_HTML_BEHTML m'<body></html>'i
  1157. rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
  1158. rawbody __SARE_HTML_EFONT m'^</font>'i
  1159. rawbody __SARE_HTML_EHEB m'^</html></body>'i
  1160. rawbody __SARE_HTML_CMT_CNTR /<center><!--/
  1161. ######## ###################### ##################################################
  1162. # Is there a message?
  1163. ######## ###################### ##################################################
  1164. meta SARE_HTML_EMPTY __CTYPE_HTML && !( __SARE_HTML_HAS_TITLE || __TAG_EXISTS_HTML || __SARE_HTML_HAS_FONT || __TAG_EXISTS_BODY || __SARE_HTML_HAS_PRE || __SARE_HTML_HAS_DIV || __SARE_HTML_HAS_P || __SARE_HTML_HAS_A || __SARE_HTML_HAS_BR )
  1165. describe SARE_HTML_EMPTY Email is HTML format, but common tags not found
  1166. score SARE_HTML_EMPTY 0.681
  1167. #ham SARE_HTML_EMPTY An "html" format email, 30 Oct 2002, Microsoft Outlook Express 6.00.2600.0000, that used no tags, just one long textual paragraph
  1168. #counts SARE_HTML_EMPTY 226s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
  1169. #max SARE_HTML_EMPTY 506s/33h of 689155 corpus (348140s/341015h RM) 09/18/05
  1170. #counts SARE_HTML_EMPTY 28s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1171. #max SARE_HTML_EMPTY 32s/2h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1172. #counts SARE_HTML_EMPTY 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1173. #max SARE_HTML_EMPTY 132s/2h of 26326 corpus (22886s/3440h MY) 02/15/05
  1174. #counts SARE_HTML_EMPTY 0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
  1175. #max SARE_HTML_EMPTY 12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  1176. #counts SARE_HTML_EMPTY 1s/173h of 7500 corpus (1767s/5733h ft) 09/18/05
  1177. ######## ###################### ##################################################
  1178. # <HTML> and <BODY> tag spamsign
  1179. ######## ###################### ##################################################
  1180. rawbody __SARE_HTML_BODY_END2 m'</body[^>]*>.*</body[^>]*>'i
  1181. meta SARE_HTML_BODY_END2 __SARE_HTML_BODY_END2
  1182. describe SARE_HTML_BODY_END2 Double </body>
  1183. score SARE_HTML_BODY_END2 0.444
  1184. #hist SARE_HTML_BODY_END2 Contrib by Matt Keller June 7 2004
  1185. #note SARE_HTML_BODY_END2 Add/remove HTML_MESSAGE test has no effect
  1186. #counts SARE_HTML_BODY_END2 15s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
  1187. #max SARE_HTML_BODY_END2 163s/13h of 281655 corpus (110173s/171482h RM) 05/05/05
  1188. #counts SARE_HTML_BODY_END2 2s/1h of 9988 corpus (5657s/4331h AxB) 05/14/06
  1189. #counts SARE_HTML_BODY_END2 1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
  1190. #max SARE_HTML_BODY_END2 6s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  1191. #counts SARE_HTML_BODY_END2 6s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1192. #counts SARE_HTML_BODY_END2 0s/7h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1193. #counts SARE_HTML_BODY_END2 15s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1194. #max SARE_HTML_BODY_END2 63s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1195. #counts SARE_HTML_BODY_END2 13s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
  1196. #counts SARE_HTML_BODY_END2 52s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
  1197. #max SARE_HTML_BODY_END2 69s/2h of 57287 corpus (52272s/5015h MY) 09/22/05
  1198. rawbody SARE_HTML_HTML_DBL /<html[^>]*><html[^>]*>/i
  1199. describe SARE_HTML_HTML_DBL Message body has very strange HTML sequence
  1200. score SARE_HTML_HTML_DBL 0.639
  1201. #ham SARE_HTML_HTML_DBL Verified (several), common to various opt-in lists.
  1202. #hist SARE_HTML_HTML_DBL Fred T: FR_HTML_HTML
  1203. #hist SARE_HTML_HTML_DBL 2004-06-11: [^>]* added by Bob Menschel
  1204. #counts SARE_HTML_HTML_DBL 7s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
  1205. #max SARE_HTML_HTML_DBL 168s/0h of 65984 corpus (40739s/25245h RM) 08/21/04
  1206. #counts SARE_HTML_HTML_DBL 1s/0h of 9988 corpus (5657s/4331h AxB) 05/14/06
  1207. #counts SARE_HTML_HTML_DBL 0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
  1208. #max SARE_HTML_HTML_DBL 9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  1209. #counts SARE_HTML_HTML_DBL 3s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1210. #counts SARE_HTML_HTML_DBL 25s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1211. #max SARE_HTML_HTML_DBL 75s/0h of 32906 corpus (9660s/23246h JH) 05/24/04
  1212. #counts SARE_HTML_HTML_DBL 1s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
  1213. #counts SARE_HTML_HTML_DBL 8s/1h of 23053 corpus (17334s/5719h MY) 05/14/06
  1214. #max SARE_HTML_HTML_DBL 10s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1215. ######## ###################### ##################################################
  1216. # <TITLE> Tag Tests
  1217. ######## ###################### ##################################################
  1218. # Moved file 1 to 3: SARE_HTML_TITLE_MNY
  1219. rawbody SARE_HTML_TITLE_MNY /<title>.{0,25}Money.{0,25}<\/title>/i
  1220. describe SARE_HTML_TITLE_MNY HTML Title implies this may be spam
  1221. score SARE_HTML_TITLE_MNY 0.458
  1222. #ham SARE_HTML_TITLE_MNY confirmed
  1223. #hist SARE_HTML_TITLE_MNY Fred T: FR_TITLE_MONEY
  1224. #counts SARE_HTML_TITLE_MNY 16s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
  1225. #max SARE_HTML_TITLE_MNY 260s/11h of 689155 corpus (348140s/341015h RM) 09/18/05
  1226. #counts SARE_HTML_TITLE_MNY 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
  1227. #max SARE_HTML_TITLE_MNY 0s/1h of 6944 corpus (3188s/3756h CT) 05/19/04
  1228. #counts SARE_HTML_TITLE_MNY 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1229. #max SARE_HTML_TITLE_MNY 7s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1230. #counts SARE_HTML_TITLE_MNY 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
  1231. #counts SARE_HTML_TITLE_MNY 15s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  1232. #max SARE_HTML_TITLE_MNY 120s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1233. ######## ###################### ##################################################
  1234. # <A> and HREF rules
  1235. ######## ###################### ##################################################
  1236. ######## ###################### ##################################################
  1237. # Spamsign character sets and fonts
  1238. ######## ###################### ##################################################
  1239. rawbody SARE_HTML_COLOR_B /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*\)[^>]*>/i
  1240. describe SARE_HTML_COLOR_B BAD STYLE: color: too light (rgb(n))
  1241. score SARE_HTML_COLOR_B 0.621
  1242. #ham SARE_HTML_COLOR_B Tickemaster ticket confirmation emails
  1243. #hist SARE_HTML_COLOR_B From Jesse Houwing May 14 2004
  1244. #counts SARE_HTML_COLOR_B 20s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
  1245. #counts SARE_HTML_COLOR_B 2s/8h of 9988 corpus (5657s/4331h AxB) 05/14/06
  1246. #counts SARE_HTML_COLOR_B 1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
  1247. #counts SARE_HTML_COLOR_B 47s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1248. #counts SARE_HTML_COLOR_B 0s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1249. #counts SARE_HTML_COLOR_B 3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1250. #max SARE_HTML_COLOR_B 5s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1251. #counts SARE_HTML_COLOR_B 12s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
  1252. #counts SARE_HTML_COLOR_B 8s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
  1253. rawbody SARE_HTML_LANG_PTBR /lang=(?:3D)?PT-BR/
  1254. describe SARE_HTML_LANG_PTBR Odd language
  1255. score SARE_HTML_LANG_PTBR 0.189
  1256. #hist SARE_HTML_LANG_PTBR LW_PT_BR, Loren Wilton
  1257. #counts SARE_HTML_LANG_PTBR 11s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  1258. #max SARE_HTML_LANG_PTBR 213s/0h of 70693 corpus (43127s/27566h RM) 10/02/04
  1259. #counts SARE_HTML_LANG_PTBR 0s/1h of 56020 corpus (51687s/4333h AxB2) 05/15/06
  1260. #counts SARE_HTML_LANG_PTBR 9s/25h of 13284 corpus (7412s/5872h CT) 05/14/06
  1261. #counts SARE_HTML_LANG_PTBR 1s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1262. #counts SARE_HTML_LANG_PTBR 69s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1263. #counts SARE_HTML_LANG_PTBR 2s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
  1264. #counts SARE_HTML_LANG_PTBR 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  1265. #max SARE_HTML_LANG_PTBR 10s/0h of 19448 corpus (16863s/2585h MY) 10/05/04
  1266. ######## ###################### ##################################################
  1267. # Invalid or Suspicious URI Tests
  1268. ######## ###################### ##################################################
  1269. uri SARE_HTML_URI_DEFASP m'/default.asp\?id='i
  1270. describe SARE_HTML_URI_DEFASP URI to page name which suggests spammer's page
  1271. score SARE_HTML_URI_DEFASP 0.093
  1272. #hist SARE_HTML_URI_DEFASP Deleted SARE_HTML_URI_X1 = LW_URI_ID due to complete overlap: /\?id\x10\x30\x34\x35/i
  1273. #counts SARE_HTML_URI_DEFASP 0s/8h of 333405 corpus (262498s/70907h RM) 05/12/06
  1274. #max SARE_HTML_URI_DEFASP 130s/27h of 689155 corpus (348140s/341015h RM) 09/18/05
  1275. #counts SARE_HTML_URI_DEFASP 0s/5h of 13287 corpus (7414s/5873h CT) 05/14/06
  1276. #max SARE_HTML_URI_DEFASP 44s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  1277. #counts SARE_HTML_URI_DEFASP 1s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
  1278. #counts SARE_HTML_URI_DEFASP 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1279. #max SARE_HTML_URI_DEFASP 361s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1280. #counts SARE_HTML_URI_DEFASP 24s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
  1281. #max SARE_HTML_URI_DEFASP 24s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1282. ######## ###################### ##################################################
  1283. # Image tag tests
  1284. ######## ###################### ##################################################
  1285. ######## ###################### ##################################################
  1286. # Paragraphs, breaks, and spacings
  1287. ######## ###################### ##################################################
  1288. rawbody SARE_HTML_P_MANY3 /<P><P><P>/i
  1289. describe SARE_HTML_P_MANY3 Too many empty paragraph tags in a row
  1290. score SARE_HTML_P_MANY3 1.108
  1291. #hist SARE_HTML_P_MANY3 04/02/2004 http://www.rulesemporium.com/rules/99_FVGT_rawbody.cf
  1292. #overlap SARE_HTML_P_MANY3 Total overlap within SARE_HTML_URI_MANYP2, but no ham hits here (until Feb 2005)
  1293. #ham SARE_HTML_P_MANY3 From: Ticketmaster <support@reply.ticketmaster.com>, Tuesday, January 25, 2005, 4:00:27 PM
  1294. #counts SARE_HTML_P_MANY3 78s/6h of 333405 corpus (262498s/70907h RM) 05/12/06
  1295. #max SARE_HTML_P_MANY3 458s/28h of 689155 corpus (348140s/341015h RM) 09/18/05
  1296. #counts SARE_HTML_P_MANY3 143s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
  1297. #counts SARE_HTML_P_MANY3 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  1298. #max SARE_HTML_P_MANY3 9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  1299. #counts SARE_HTML_P_MANY3 412s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1300. #counts SARE_HTML_P_MANY3 50s/0h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1301. #counts SARE_HTML_P_MANY3 4s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1302. #max SARE_HTML_P_MANY3 15s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
  1303. #counts SARE_HTML_P_MANY3 9s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
  1304. #max SARE_HTML_P_MANY3 41s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  1305. ######## ###################### ##################################################
  1306. # Javascript and object tests
  1307. ######## ###################### ##################################################
  1308. ######## ###################### ##################################################
  1309. # Useless tags (tag structures that do nothing)
  1310. # Largely submitted by Matt Yackley, with contributions by
  1311. # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
  1312. ######## ###################### ##################################################
  1313. rawbody SARE_HTML_USL_1CHAR m'(?!<[biopu]></[biopu]>)<([a-z])></\1>'i
  1314. describe SARE_HTML_USL_1CHAR Invalid and empty 1-char tag - /tag combination
  1315. score SARE_HTML_USL_1CHAR 0.029
  1316. #counts SARE_HTML_USL_1CHAR 6s/14h of 333405 corpus (262498s/70907h RM) 05/12/06
  1317. #max SARE_HTML_USL_1CHAR 46s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
  1318. #counts SARE_HTML_USL_1CHAR 3s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
  1319. #counts SARE_HTML_USL_1CHAR 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  1320. #max SARE_HTML_USL_1CHAR 3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  1321. #counts SARE_HTML_USL_1CHAR 8s/30h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1322. #counts SARE_HTML_USL_1CHAR 2s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1323. #counts SARE_HTML_USL_1CHAR 3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1324. #max SARE_HTML_USL_1CHAR 6s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
  1325. #counts SARE_HTML_USL_1CHAR 2s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
  1326. ######## ###################### ##################################################
  1327. # Miscellaneous tag tests
  1328. ######## ###################### ##################################################
  1329. rawbody SARE_HTML_BODY_2SP /<body /i
  1330. describe SARE_HTML_BODY_2SP HTML tag is strangely formed
  1331. score SARE_HTML_BODY_2SP 0.665
  1332. #hist SARE_HTML_BODY_2SP FR_BODY_2SPACES
  1333. #counts SARE_HTML_BODY_2SP 682s/152h of 333405 corpus (262498s/70907h RM) 05/12/06
  1334. #counts SARE_HTML_BODY_2SP 678s/2h of 9988 corpus (5657s/4331h AxB) 05/14/06
  1335. #counts SARE_HTML_BODY_2SP 48s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
  1336. #counts SARE_HTML_BODY_2SP 215s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1337. #counts SARE_HTML_BODY_2SP 1455s/8h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1338. #counts SARE_HTML_BODY_2SP 62s/5h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1339. #max SARE_HTML_BODY_2SP 94s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1340. #counts SARE_HTML_BODY_2SP 361s/2h of 106399 corpus (73151s/33248h ML) 05/14/06
  1341. #counts SARE_HTML_BODY_2SP 21s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
  1342. #max SARE_HTML_BODY_2SP 66s/2h of 47221 corpus (42968s/4253h MY) 06/18/05
  1343. full SARE_HTML_TD_BR m'<td.{10,400}<br>.{1,7}<br>.{1,7}<br>.{1,7}<br>.{0,400}</td>'is
  1344. describe SARE_HTML_TD_BR Multiple line breaks in spammer pattern
  1345. score SARE_HTML_TD_BR 0.934
  1346. #hist SARE_HTML_TD_BR Fred T: FR_WICKED_SPAM_??
  1347. #counts SARE_HTML_TD_BR 2757s/33h of 333405 corpus (262498s/70907h RM) 05/12/06
  1348. #counts SARE_HTML_TD_BR 368s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
  1349. #counts SARE_HTML_TD_BR 40s/10h of 13284 corpus (7412s/5872h CT) 05/14/06
  1350. #counts SARE_HTML_TD_BR 471s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
  1351. #counts SARE_HTML_TD_BR 190s/10h of 42328 corpus (34212s/8116h FVGT) 05/15/06
  1352. #counts SARE_HTML_TD_BR 36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  1353. #max SARE_HTML_TD_BR 182s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  1354. #counts SARE_HTML_TD_BR 700s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
  1355. #counts SARE_HTML_TD_BR 68s/14h of 23053 corpus (17334s/5719h MY) 05/14/06
  1356. #max SARE_HTML_TD_BR 184s/15h of 47221 corpus (42968s/4253h MY) 06/18/05
  1357. # EOF