70_sare_header1.cf 143 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047
  1. # SARE Header Abuse Ruleset for SpamAssassin -- file 1
  2. # Version: 01.03.21
  3. # Created: 2004-04-25
  4. # Modified: 2006-05-21
  5. # Usage instructions and documentation in 70_sare_header0.cf
  6. # Full Revision History / Change Log in 70_sare_header.log
  7. #@@# 01.03.20 May 20 2005
  8. #@@# Minor score updates based on additional mass-check
  9. #@@# Modified "rule has been moved" meta flags
  10. #@@# Archived from file 1 SARE_FROM_SPAM_DOMN0
  11. #@@# Archived from file 1 SARE_HEAD_HDR_ALTREC
  12. #@@# Archived from file 1 SARE_HEAD_HDR_XBBOUNC
  13. #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL2
  14. #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL4
  15. #@@# Archived from file 1 SARE_HEAD_HDR_XMEBDOM
  16. #@@# Archived from file 1 SARE_HEAD_HDR_XWTID
  17. #@@# Archived from file 1 SARE_HEAD_HDR_XWTVERS
  18. #@@# Archived from file 1 SARE_HEAD_ORIG_RECIP
  19. #@@# Archived from file 1 SARE_RECV_IP_195229
  20. #@@# Moved file 0 to file 1 SARE_FREE_WEBM_EsTerra
  21. #@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A
  22. #@@# Moved file 0 to file 1 SARE_HEAD_DATE46
  23. #@@# Moved file 0 to file 1 SARE_HEAD_HDR_XEMAIL
  24. #@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID
  25. #@@# Moved file 0 to file 1 SARE_RECV_IP_063106130
  26. #@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD
  27. #@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR
  28. #@@# Moved file 1 to file 0 SARE_RECV_IP_209190
  29. #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE
  30. #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE
  31. #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV
  32. #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF
  33. #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE
  34. #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI
  35. #@@# Moved file 1 to file 2 SARE_RECV_IP_062023
  36. #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157
  37. #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154
  38. #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152
  39. #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE
  40. #@@# Moved file 1 to file 2 SARE_XMAIL_GDI
  41. #@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L
  42. #@@# Moved file 1 to file 3 SARE_HEAD_XWORD
  43. #@@# Moved file 1 to file 3 SARE_RECV_IP_063106130
  44. #@@# Moved file 1 to file 3 SARE_RECV_IP_064034
  45. #@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL
  46. #@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL
  47. #@@# Moved from file 1 to 3 SARE_FROM_DVDCOPY
  48. #@@# Moved from file 1 to 3 SARE_RECV_FREESERVE
  49. #@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID
  50. #@@# Returned file 1 to file 0 SARE_RECV_IP_163125
  51. #@@# Returned file 2 to file 1 SARE_RECV_IP_142046
  52. #@@# 01.03.21 May 21 2005
  53. #@@# Minor repairs to "downgraded rule" metas.
  54. # License: Artistic - see http://www.rulesemporium.com/license.txt
  55. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  56. # Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf
  57. ######## ###################### ##################################################
  58. # Component rules used within meta rules
  59. ######## ###################### ##################################################
  60. header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
  61. ######## ###################### ##################################################
  62. # Meta rules used to prevent --lint errors after moving/changing rules
  63. ######## ###################### ##################################################
  64. meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
  65. meta SARE_FREE_WEBM_CZSEZNA __SARE_HEAD_FALSE
  66. meta SARE_FROM_MULTI_DASH __SARE_HEAD_FALSE
  67. meta SARE_HEAD_DATE18 __SARE_HEAD_FALSE
  68. meta SARE_MSGID_LONG40 __SARE_HEAD_FALSE
  69. meta SARE_MSGID_LONG55 __SARE_HEAD_FALSE
  70. meta SARE_MULT_VIA_FWCATS __SARE_HEAD_FALSE
  71. meta SARE_RECV_IP_064080 __SARE_HEAD_FALSE
  72. meta SARE_RECV_ISWEST __SARE_HEAD_FALSE
  73. meta SARE_FROM_AMERICA __SARE_HEAD_FALSE
  74. meta SARE_MSGID_06D6 __SARE_HEAD_FALSE
  75. meta SARE_RECV_IP_212164 __SARE_HEAD_FALSE
  76. meta SARE_BOUNDARY_MULTB __SARE_HEAD_FALSE
  77. meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE
  78. meta SARE_FROM_PRINTER __SARE_HEAD_FALSE
  79. meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE
  80. meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE
  81. meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE
  82. meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE
  83. meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE
  84. meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE
  85. meta SARE_HELO_SERVER __SARE_HEAD_FALSE
  86. meta SARE_MSGID_LONG35 __SARE_HEAD_FALSE
  87. meta SARE_MSGID_LONG65 __SARE_HEAD_FALSE
  88. meta SARE_MSGID_LONG75 __SARE_HEAD_FALSE
  89. meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE
  90. meta SARE_RECV_SUSP_3 __SARE_HEAD_FALSE
  91. meta SARE_XMAIL_XMAIL __SARE_HEAD_FALSE
  92. meta SARE_HEAD_HDR_XEMGBMS __SARE_HEAD_FALSE
  93. meta SARE_HEAD_XCANIT1 __SARE_HEAD_FALSE
  94. meta SARE_HEAD_XCANIT2 __SARE_HEAD_FALSE
  95. meta SARE_MSGID_SPAM_DOMN0 __SARE_HEAD_FALSE
  96. meta SARE_MSGID_SUSP2 __SARE_HEAD_FALSE
  97. meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE
  98. meta SARE_RECV_IP_211049 __SARE_HEAD_FALSE
  99. meta SARE_RECV_RND_NUMBER __SARE_HEAD_FALSE
  100. meta SARE_FROM_NONAME __SARE_HEAD_FALSE
  101. meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE
  102. meta SARE_HEAD_XCOM_RFCMIN __SARE_HEAD_FALSE
  103. meta SARE_RECV_IP_080178 __SARE_HEAD_FALSE
  104. meta SARE_XMAIL_SUSP3 __SARE_HEAD_FALSE
  105. meta SARE_MSGID_DBL_AT __SARE_HEAD_FALSE
  106. meta SARE_FREE_WEBM_USACOPS __SARE_HEAD_FALSE
  107. meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE
  108. meta SARE_HEAD_HDR_ALTREC __SARE_HEAD_FALSE
  109. meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE
  110. meta SARE_HEAD_HDR_XLEGAL2 __SARE_HEAD_FALSE
  111. meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_FALSE
  112. meta SARE_HEAD_HDR_XMEBDOM __SARE_HEAD_FALSE
  113. meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE
  114. meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE
  115. meta SARE_HEAD_ORIG_RECIP __SARE_HEAD_FALSE
  116. meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE
  117. meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE
  118. meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE
  119. meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE
  120. meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE
  121. meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE
  122. meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
  123. meta SARE_HEAD_HDR_XLISTAD __SARE_HEAD_FALSE
  124. meta SARE_HEAD_MSMPR_RNDSTR __SARE_HEAD_FALSE
  125. meta SARE_RECV_IP_209190 __SARE_HEAD_FALSE
  126. meta SARE_HEAD_DATE_RNDDATE __SARE_HEAD_FALSE
  127. meta SARE_HEAD_HDR_MSGTYPE __SARE_HEAD_FALSE
  128. meta SARE_HEAD_HDR_X400RCV __SARE_HEAD_FALSE
  129. meta SARE_HEAD_HDR_XCNDINF __SARE_HEAD_FALSE
  130. meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE
  131. meta SARE_HEAD_HDR_XSAFMMI __SARE_HEAD_FALSE
  132. meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE
  133. meta SARE_RECV_IP_065205157 __SARE_HEAD_FALSE
  134. meta SARE_RECV_IP_066248154 __SARE_HEAD_FALSE
  135. meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE
  136. meta SARE_RECV_RND_DATE __SARE_HEAD_FALSE
  137. meta SARE_XMAIL_GDI __SARE_HEAD_FALSE
  138. meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE
  139. meta SARE_HEAD_XWORD __SARE_HEAD_FALSE
  140. meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
  141. meta SARE_RECV_IP_064034 __SARE_HEAD_FALSE
  142. meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE
  143. meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE
  144. meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE
  145. meta SARE_RECV_FREESERVE __SARE_HEAD_FALSE
  146. #####################################################################################
  147. # SARE Header-Exists rules
  148. ######## ###################### ##################################################
  149. header SARE_HEAD_HDR_APPROV exists:Approved
  150. describe SARE_HEAD_HDR_APPROV Message headers used which identify spam
  151. score SARE_HEAD_HDR_APPROV 0.166
  152. #hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed
  153. #counts SARE_HEAD_HDR_APPROV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  154. #max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
  155. #counts SARE_HEAD_HDR_APPROV 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  156. #counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  157. #counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  158. #max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  159. #counts SARE_HEAD_HDR_APPROV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  160. #max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  161. #counts SARE_HEAD_HDR_APPROV 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  162. #counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  163. header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients
  164. describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam
  165. score SARE_HEAD_HDR_DISCREC 0.772
  166. #ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov
  167. #counts SARE_HEAD_HDR_DISCREC 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  168. #max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
  169. #counts SARE_HEAD_HDR_DISCREC 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  170. #counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  171. #counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  172. #max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  173. #counts SARE_HEAD_HDR_DISCREC 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  174. #max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  175. #counts SARE_HEAD_HDR_DISCREC 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  176. #counts SARE_HEAD_HDR_DISCREC 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  177. header SARE_HEAD_HDR_XEMAIL exists:X-EMail
  178. describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam
  179. score SARE_HEAD_HDR_XEMAIL 1.666
  180. #ham SARE_HEAD_HDR_XEMAIL confirmed (several, one source)
  181. #counts SARE_HEAD_HDR_XEMAIL 221s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  182. #max SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  183. #counts SARE_HEAD_HDR_XEMAIL 78s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  184. #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  185. #counts SARE_HEAD_HDR_XEMAIL 458s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  186. #counts SARE_HEAD_HDR_XEMAIL 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  187. #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  188. #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  189. header SARE_HEAD_HDR_XENC exists:X-ENC
  190. describe SARE_HEAD_HDR_XENC Message headers used which identify spam
  191. score SARE_HEAD_HDR_XENC 0.872
  192. #stype SARE_HEAD_HDR_XENC spamp
  193. #hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004
  194. #counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
  195. #max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
  196. #counts SARE_HEAD_HDR_XENC 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  197. #max SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  198. #counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
  199. #counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  200. #counts SARE_HEAD_HDR_XENC 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  201. #counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  202. header __HAS_RCVD exists:Received
  203. header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key
  204. meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD
  205. header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key
  206. describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers
  207. score SARE_HEAD_HDR_XIDKEY 1.666
  208. #ham SARE_HEAD_HDR_XIDKEY verified (4)
  209. #hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004
  210. #counts SARE_HEAD_HDR_XIDKEY 30s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  211. #max SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  212. #counts SARE_HEAD_HDR_XIDKEY 232s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  213. #counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  214. #counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  215. #counts SARE_HEAD_HDR_XIDKEY 104s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  216. #counts SARE_HEAD_HDR_XIDKEY 367s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  217. #counts SARE_HEAD_HDR_XIDKEY 859s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  218. header __SARE_HEAD_HDR_XLEGAL exists:X-Legal
  219. header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i
  220. header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i
  221. header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i
  222. meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC
  223. describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam
  224. score SARE_HEAD_HDR_XLEGAL1 1.666
  225. #stype SARE_HEAD_HDR_XLEGAL1 spamgg
  226. #hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005
  227. #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  228. #max SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  229. #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  230. #counts SARE_HEAD_HDR_XLEGAL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  231. #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
  232. meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC
  233. describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam
  234. score SARE_HEAD_HDR_XLEGAL3 1.666
  235. #stype SARE_HEAD_HDR_XLEGAL3 spamgg
  236. #hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005
  237. #counts SARE_HEAD_HDR_XLEGAL3 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  238. #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  239. #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
  240. header SARE_HEAD_HDR_XMAILID exists:X-Mailid
  241. describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam
  242. score SARE_HEAD_HDR_XMAILID 1.666
  243. #ham SARE_HEAD_HDR_XMAILID confirmed
  244. #counts SARE_HEAD_HDR_XMAILID 248s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  245. #counts SARE_HEAD_HDR_XMAILID 4s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  246. #counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  247. #counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  248. #counts SARE_HEAD_HDR_XMAILID 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  249. #was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
  250. #counts SARE_HEAD_HDR_XMAILID 5s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  251. header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server
  252. describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam
  253. score SARE_HEAD_HDR_XMLRSRV 0.555
  254. #ham SARE_HEAD_HDR_XMLRSRV verified (1)
  255. #counts SARE_HEAD_HDR_XMLRSRV 2s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
  256. #max SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
  257. #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  258. #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  259. #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  260. #counts SARE_HEAD_HDR_XMLRSRV 84s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  261. #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  262. header SARE_HEAD_HDR_XRESPID exists:X-Response-ID
  263. describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam
  264. score SARE_HEAD_HDR_XRESPID 0.528
  265. #ham SARE_HEAD_HDR_XRESPID confirmed (1)
  266. #counts SARE_HEAD_HDR_XRESPID 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  267. #max SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  268. #counts SARE_HEAD_HDR_XRESPID 18s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  269. #counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
  270. #counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  271. #counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  272. #counts SARE_HEAD_HDR_XRESPID 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  273. header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA
  274. describe SARE_HEAD_HDR_XSIDPRA fingerprint
  275. score SARE_HEAD_HDR_XSIDPRA 0.616
  276. #ham SARE_HEAD_HDR_XSIDPRA confirmed
  277. #hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005
  278. #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  279. #max SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  280. #counts SARE_HEAD_HDR_XSIDPRA 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  281. #counts SARE_HEAD_HDR_XSIDPRA 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  282. #max SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  283. #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  284. header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result
  285. describe SARE_HEAD_HDR_XSIDRES fingerprint
  286. score SARE_HEAD_HDR_XSIDRES 0.616
  287. #ham SARE_HEAD_HDR_XSIDRES confirmed
  288. #hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005
  289. #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  290. #max SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  291. #counts SARE_HEAD_HDR_XSIDRES 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  292. #counts SARE_HEAD_HDR_XSIDRES 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  293. #max SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  294. #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  295. #####################################################################################
  296. # SARE Content-Type and Boundary rules
  297. ######## ###################### ##################################################
  298. header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/
  299. describe SARE_BOUNDARY_05 Content type boundary used in spam
  300. score SARE_BOUNDARY_05 1.666
  301. #stype SARE_BOUNDARY_05 vbggg
  302. #hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005
  303. #counts SARE_BOUNDARY_05 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  304. #max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
  305. #counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  306. #counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  307. #max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  308. #counts SARE_BOUNDARY_05 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  309. #counts SARE_BOUNDARY_05 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  310. #counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  311. header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i
  312. describe SARE_BOUNDARY_06 Content type boundary used in spam
  313. score SARE_BOUNDARY_06 1.666
  314. #stype SARE_BOUNDARY_06 vbggg
  315. #hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004
  316. #hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005
  317. #counts SARE_BOUNDARY_06 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  318. #max SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  319. #counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  320. #counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  321. #counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  322. #counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  323. header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s
  324. describe SARE_BOUNDARY_08 Improbable MIME boundary format
  325. score SARE_BOUNDARY_08 1.666
  326. #hist SARE_BOUNDARY_08 LW_BOUNDARY1
  327. #ham SARE_BOUNDARY_08 ServiceMagic <customerservice@servicemagic.com>, 2001
  328. #ham SARE_BOUNDARY_08 verizon wireless picture phone transmission
  329. #counts SARE_BOUNDARY_08 613s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  330. #max SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
  331. #counts SARE_BOUNDARY_08 38s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  332. #counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  333. #max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  334. #counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  335. #max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  336. #counts SARE_BOUNDARY_08 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  337. #max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  338. #counts SARE_BOUNDARY_08 826s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  339. #counts SARE_BOUNDARY_08 243s/2h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  340. header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/
  341. describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus
  342. score SARE_BOUNDARY_D10 0.444
  343. #ham SARE_BOUNDARY_D10 verified (1)
  344. #hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004
  345. #counts SARE_BOUNDARY_D10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  346. #max SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  347. #counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  348. #counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  349. #counts SARE_BOUNDARY_D10 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  350. #max SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  351. #counts SARE_BOUNDARY_D10 5s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  352. #counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  353. header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/
  354. describe SARE_BOUNDARY_LC Content type boundary used in spam
  355. score SARE_BOUNDARY_LC 1.666
  356. #ham SARE_BOUNDARY_LC questionable newsletters
  357. #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004
  358. #ham SARE_BOUNDARY_LC "ffff": Game Rival <newsletter@gamerival.com>, ThePerfectGreeting <updates@perfectgreeting.com>
  359. #counts SARE_BOUNDARY_LC 0s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  360. #max SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  361. #counts SARE_BOUNDARY_LC 44s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  362. #counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  363. #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  364. #counts SARE_BOUNDARY_LC 0s/1h of 13313 corpus (7438s/5875h CT) 05/14/06
  365. #max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  366. #counts SARE_BOUNDARY_LC 15s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  367. #counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  368. header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/
  369. describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses
  370. score SARE_BOUNDARY_NP2 4.000
  371. #stype SARE_BOUNDARY_NP2 vbg
  372. #hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004
  373. #hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004
  374. #counts SARE_BOUNDARY_NP2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  375. #max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
  376. #counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  377. #max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  378. #counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  379. #counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  380. #counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  381. #####################################################################################
  382. # SARE From Rules
  383. ######## ###################### ##################################################
  384. header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/
  385. describe SARE_FROM_AST Invalid character in email address
  386. score SARE_FROM_AST 0.666
  387. #hist SARE_FROM_AST Originally submitted by Fred Tarasevicius
  388. #hist SARE_FROM_AST Returned from file 2 to file 1 Oct 2005
  389. #counts SARE_FROM_AST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  390. #max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
  391. #counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  392. #counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  393. #counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  394. #counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  395. header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i
  396. describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address
  397. score SARE_FROM_CAPS_MSN 0.828
  398. #ham SARE_FRMO_CAPS_MSN verified (3)
  399. #hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004
  400. #counts SARE_FROM_CAPS_MSN 18s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  401. #max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
  402. #counts SARE_FROM_CAPS_MSN 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  403. #counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  404. #max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  405. #counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  406. #max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  407. #counts SARE_FROM_CAPS_MSN 28s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  408. #max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  409. #counts SARE_FROM_CAPS_MSN 61s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  410. #counts SARE_FROM_CAPS_MSN 28s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  411. header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i
  412. describe SARE_FROM_DRUGS2 From a drug
  413. score SARE_FROM_DRUGS2 0.644
  414. #ham SARE_FROM_DRUGS2 verified (3)
  415. #hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma
  416. #counts SARE_FROM_DRUGS2 1s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  417. #max SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
  418. #counts SARE_FROM_DRUGS2 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  419. #max SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
  420. #counts SARE_FROM_DRUGS2 20s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  421. #max SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  422. #counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  423. #counts SARE_FROM_DRUGS2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  424. header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0
  425. header __SARE_FROM_NONAME From =~ /"" ?</
  426. meta SARE_FROM_NONAME __SARE_FROM_NONAME && !FROM_BLANK_NAME
  427. score SARE_FROM_NONAME 1.294
  428. #hist SARE_FROM_NONAME Created by Fred Tarasevicius
  429. #overlap SARE_FROM_NONAME SARE rule catches spam missed by SA rule. Use meta to avoid duplication
  430. #counts SARE_FROM_NONAME 256s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
  431. #max SARE_FROM_NONAME 371s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
  432. #counts SARE_FROM_NONAME 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  433. #counts SARE_FROM_NONAME 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  434. #counts SARE_FROM_NONAME 129s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  435. #counts SARE_FROM_NONAME 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  436. header SARE_FROM_SPAM_DOMN0Y From =~ /\byahoo\.net/i
  437. describe SARE_FROM_SPAM_DOMN0Y From address suggests this is spam
  438. score SARE_FROM_SPAM_DOMN0Y 0.555
  439. #ham SARE_FROM_SPAM_DOMN0Y confirmed: 1 yahoo.net, perhaps a user's error
  440. #counts SARE_FROM_SPAM_DOMN0Y 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  441. #max SARE_FROM_SPAM_DOMN0Y 36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
  442. header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
  443. header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
  444. meta SARE_FROM_SPAM_MONEY __SARE_FROM_SPAM_MONY2
  445. describe SARE_FROM_SPAM_MONEY From address suggests this is spam
  446. score SARE_FROM_SPAM_MONEY 1.208
  447. #ham SARE_FROM_SPAM_MONEY confirmed (1)
  448. #addsto SARE_FROM_SPAM_MONEY SARE_FROM_SPAM_MONEY2
  449. #hist SARE_FROM_SPAM_MONEY RM_fw_Money. Meta created Aug 20 2004 to improve scoring.
  450. #counts SARE_FROM_SPAM_MONEY 257s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
  451. #max SARE_FROM_SPAM_MONEY 249s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
  452. #counts SARE_FROM_SPAM_MONEY 68s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  453. #counts SARE_FROM_SPAM_MONEY 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  454. #counts SARE_FROM_SPAM_MONEY 14s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  455. #max SARE_FROM_SPAM_MONEY 31s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  456. #counts SARE_FROM_SPAM_MONEY 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  457. #max SARE_FROM_SPAM_MONEY 33s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  458. #counts SARE_FROM_SPAM_MONEY 693s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  459. #counts SARE_FROM_SPAM_MONEY 18s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
  460. header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
  461. header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
  462. meta SARE_FROM_SPAM_MONEY2 __SARE_FROM_SPAM_MONY1 && !__SARE_FROM_SPAM_MONY2
  463. describe SARE_FROM_SPAM_MONEY2 From address suggests this is spam
  464. score SARE_FROM_SPAM_MONEY2 0.890
  465. #ham SARE_FROM_SPAM_MONEY2 Valid end-users with "money" in their display name
  466. #counts SARE_FROM_SPAM_MONEY2 84s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  467. #max SARE_FROM_SPAM_MONEY2 290s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
  468. #counts SARE_FROM_SPAM_MONEY2 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  469. #counts SARE_FROM_SPAM_MONEY2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  470. #counts SARE_FROM_SPAM_MONEY2 61s/3h of 22942 corpus (17234s/5708h MY) 05/14/06
  471. #max SARE_FROM_SPAM_MONEY2 62s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
  472. #counts SARE_FROM_SPAM_MONEY2 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  473. #max SARE_FROM_SPAM_MONEY2 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  474. #counts SARE_FROM_SPAM_MONEY2 176s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  475. #counts SARE_FROM_SPAM_MONEY2 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  476. header SARE_FROM_SPAM_NAME0 From =~ /(?:Direct Marketing|FreeOffers|FunBenefits|salestonight|WESTEC SALES|\bWSEAS\b)/i
  477. describe SARE_FROM_SPAM_NAME0 From address suggests this is spam
  478. score SARE_FROM_SPAM_NAME0 3.333
  479. #stype SARE_FROM_SPAM_NAME0 spamg
  480. #hist SARE_FROM_SPAM_NAME0 COMBINED.FROM and other sources
  481. #counts SARE_FROM_SPAM_NAME0 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  482. #max SARE_FROM_SPAM_NAME0 369s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
  483. #counts SARE_FROM_SPAM_NAME0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  484. #counts SARE_FROM_SPAM_NAME0 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  485. #counts SARE_FROM_SPAM_NAME0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  486. #counts SARE_FROM_SPAM_NAME0 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  487. #counts SARE_FROM_SPAM_NAME0 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  488. header SARE_FROM_SPAM_NAME2A From =~ /\bfunpage\b/i
  489. describe SARE_FROM_SPAM_NAME2A From address suggests this is spam
  490. score SARE_FROM_SPAM_NAME2A 0.111
  491. #stype SARE_FROM_SPAM_NAME2A spamp
  492. #hist SARE_FROM_SPAM_NAME2A COMBINED.FROM and other sources
  493. #counts SARE_FROM_SPAM_NAME2A 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  494. #counts SARE_FROM_SPAM_NAME2A 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
  495. #counts SARE_FROM_SPAM_NAME2A 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
  496. header SARE_FROM_SPAM_PL1 From =~ /\@tpnet\.pl\b/
  497. describe SARE_FROM_SPAM_PL1 A lot of spam comes from here
  498. score SARE_FROM_SPAM_PL1 0.500
  499. #stype SARE_FRMO_SPAM_PL1 max:0.5 # possible valid ISP in Poland
  500. #hist SARE_FROM_SPAM_PL1 Loren Wilton, Feb 21 2005
  501. #counts SARE_FROM_SPAM_PL1 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  502. #max SARE_FROM_SPAM_PL1 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  503. #counts SARE_FROM_SPAM_PL1 14s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  504. #counts SARE_FROM_SPAM_PL1 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  505. #counts SARE_FROM_SPAM_PL1 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  506. #max SARE_FROM_SPAM_PL1 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  507. #counts SARE_FROM_SPAM_PL1 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  508. #max SARE_FROM_SPAM_PL1 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  509. #counts SARE_FROM_SPAM_PL1 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  510. #counts SARE_FROM_SPAM_PL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  511. header SARE_FROM_SPAM_WORD2 From =~ /\b(?:^high.?speed|interacial)\b/i
  512. describe SARE_FROM_SPAM_WORD2 From address suggests this is spam
  513. score SARE_FROM_SPAM_WORD2 0.555
  514. #stype SARE_FRM_SPAM_WORD2 spamp
  515. #hist SARE_FROM_SPAM_WORD2 COMBINED.FROM and other sources
  516. #counts SARE_FROM_SPAM_WORD2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  517. #max SARE_FROM_SPAM_WORD2 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  518. #counts SARE_FROM_SPAM_WORD2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  519. #counts SARE_FROM_SPAM_WORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  520. #counts SARE_FROM_SPAM_WORD2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  521. #counts SARE_FROM_SPAM_WORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  522. #####################################################################################
  523. # SARE From Rules -- Emails coming from free webmail accounts
  524. # Since spam from these can vary depending upon country of origin,
  525. # country of destination, policies, and enforcement of policies,
  526. # most of these are kept as separate rules rather than combined.
  527. ######## ###################### ##################################################
  528. header SARE_FREE_WEBM_BIGMAIL From =~ /\bbigmailbox\.com/i
  529. describe SARE_FREE_WEBM_BIGMAIL Sender used free email account - may be spammer
  530. score SARE_FREE_WEBM_BIGMAIL 0.667
  531. #counts SARE_FREE_WEBM_BIGMAIL 14s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  532. #counts SARE_FREE_WEBM_BIGMAIL 2s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  533. #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  534. #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  535. #max SARE_FREE_WEBM_BIGMAIL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  536. #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  537. #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  538. header SARE_FREE_WEBM_EsTerra From =~ /\bterra\.es/i
  539. describe SARE_FREE_WEBM_EsTerra Sender used free email account - may be spammer
  540. score SARE_FREE_WEBM_EsTerra 1.666
  541. #counts SARE_FREE_WEBM_EsTerra 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  542. #max SARE_FREE_WEBM_EsTerra 228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
  543. #counts SARE_FREE_WEBM_EsTerra 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  544. #counts SARE_FREE_WEBM_EsTerra 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  545. #counts SARE_FREE_WEBM_EsTerra 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  546. #max SARE_FREE_WEBM_EsTerra 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  547. #counts SARE_FREE_WEBM_EsTerra 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  548. #max SARE_FREE_WEBM_EsTerra 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  549. #counts SARE_FREE_WEBM_EsTerra 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  550. #counts SARE_FREE_WEBM_EsTerra 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  551. header SARE_FREE_WEBM_FrVoila From =~ /\bvoila\.fr/i
  552. describe SARE_FREE_WEBM_FrVoila Sender used free email account - may be spammer
  553. score SARE_FREE_WEBM_FrVoila 0.444
  554. #ham SARE_FREE_WEBM_FrVoila confirmed: 1
  555. #counts SARE_FREE_WEBM_FrVoila 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  556. #max SARE_FREE_WEBM_FrVoila 40s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  557. #counts SARE_FREE_WEBM_FrVoila 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  558. #counts SARE_FREE_WEBM_FrVoila 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  559. #counts SARE_FREE_WEBM_FrVoila 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  560. #max SARE_FREE_WEBM_FrVoila 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  561. #counts SARE_FREE_WEBM_FrVoila 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  562. #counts SARE_FREE_WEBM_FrVoila 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  563. #counts SARE_FREE_WEBM_FrVoila 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  564. header SARE_FREE_WEBM_Jpop From =~ /\bjpopmail\.com/i
  565. describe SARE_FREE_WEBM_Jpop Sender used free email account - may be spammer
  566. score SARE_FREE_WEBM_Jpop 0.989
  567. #counts SARE_FREE_WEBM_Jpop 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  568. #max SARE_FREE_WEBM_Jpop 66s/0h of 125163 corpus (104972s/20191h) 03/28/04
  569. #counts SARE_FREE_WEBM_Jpop 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  570. #counts SARE_FREE_WEBM_Jpop 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  571. #counts SARE_FREE_WEBM_Jpop 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  572. #max SARE_FREE_WEBM_Jpop 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  573. #counts SARE_FREE_WEBM_Jpop 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  574. #max SARE_FREE_WEBM_Jpop 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  575. #counts SARE_FREE_WEBM_Jpop 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  576. #counts SARE_FREE_WEBM_Jpop 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  577. header SARE_FREE_WEBM_MailD From =~ /mail\d{1,3}\.com/i
  578. describe SARE_FREE_WEBM_MailD Sender used free email account - may be spammer
  579. score SARE_FREE_WEBM_MailD 1.485
  580. #ham SARE_FREE_WEBM_MailD questionable
  581. #counts SARE_FREE_WEBM_MailD 124s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
  582. #max SARE_FREE_WEBM_MailD 2051s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  583. #counts SARE_FREE_WEBM_MailD 10s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  584. #counts SARE_FREE_WEBM_MailD 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  585. #max SARE_FREE_WEBM_MailD 27s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  586. #counts SARE_FREE_WEBM_MailD 31s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  587. #max SARE_FREE_WEBM_MailD 75s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  588. #counts SARE_FREE_WEBM_MailD 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  589. #counts SARE_FREE_WEBM_MailD 234s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  590. #counts SARE_FREE_WEBM_MailD 72s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  591. header SARE_FREE_WEBM_Mailexc From =~ /\bmailexcite\.com/i
  592. describe SARE_FREE_WEBM_Mailexc Sender used free email account - may be spammer
  593. score SARE_FREE_WEBM_Mailexc 0.889
  594. #ham SARE_FREE_WEMB_Mailexc verified (6)
  595. #counts SARE_FREE_WEBM_Mailexc 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  596. #max SARE_FREE_WEBM_Mailexc 44s/0h of 125163 corpus (104972s/20191h) 03/28/04
  597. #counts SARE_FREE_WEBM_Mailexc 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  598. #counts SARE_FREE_WEBM_Mailexc 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  599. #counts SARE_FREE_WEBM_Mailexc 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  600. #max SARE_FREE_WEBM_Mailexc 7s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  601. #counts SARE_FREE_WEBM_Mailexc 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  602. #counts SARE_FREE_WEBM_Mailexc 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  603. #counts SARE_FREE_WEBM_Mailexc 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  604. header SARE_FREE_WEBM_NETCITY From =~ /\@netcity\w+\.com/i
  605. describe SARE_FREE_WEBM_NETCITY Maybe spammer with free email
  606. score SARE_FREE_WEBM_NETCITY 1.111
  607. #stype SARE_FREE_WEBM_NETCITY spamp
  608. #hist SARE_FREE_WEBM_NETCITY Created by Bob Menschel Aug 20 2004
  609. #counts SARE_FREE_WEBM_NETCITY 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  610. #max SARE_FREE_WEBM_NETCITY 12s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
  611. #counts SARE_FREE_WEBM_NETCITY 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  612. #counts SARE_FREE_WEBM_NETCITY 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  613. #counts SARE_FREE_WEBM_NETCITY 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  614. #max SARE_FREE_WEBM_NETCITY 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  615. #counts SARE_FREE_WEBM_NETCITY 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  616. #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  617. #counts SARE_FREE_WEBM_NETCITY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  618. header SARE_FREE_WEBM_NetFs From =~ /\bfsmail\.net/i
  619. describe SARE_FREE_WEBM_NetFs Sender used free email account - may be spammer
  620. score SARE_FREE_WEBM_NetFs 0.500
  621. #ham SARE_FREE_WEBM_NetFs confirmed (1)
  622. #counts SARE_FREE_WEBM_NetFs 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  623. #max SARE_FREE_WEBM_NetFs 129s/0h of 125163 corpus (104972s/20191h) 03/28/04
  624. #counts SARE_FREE_WEBM_NetFs 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  625. #counts SARE_FREE_WEBM_NetFs 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  626. #counts SARE_FREE_WEBM_NetFs 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  627. #max SARE_FREE_WEBM_NetFs 8s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  628. #counts SARE_FREE_WEBM_NetFs 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  629. #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  630. #counts SARE_FREE_WEBM_NetFs 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  631. header SARE_FREE_WEBM_NetSafe From =~ /\bsafe-mail\.net/i
  632. describe SARE_FREE_WEBM_NetSafe Sender used free email account - may be spammer
  633. score SARE_FREE_WEBM_NetSafe 0.667
  634. #counts SARE_FREE_WEBM_NetSafe 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  635. #max SARE_FREE_WEBM_NetSafe 28s/1h of 283497 corpus (129933s/153564h RM) 03/08/05
  636. #counts SARE_FREE_WEBM_NetSafe 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  637. #counts SARE_FREE_WEBM_NetSafe 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  638. #max SARE_FREE_WEBM_NetSafe 9s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  639. #counts SARE_FREE_WEBM_NetSafe 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  640. #max SARE_FREE_WEBM_NetSafe 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  641. #counts SARE_FREE_WEBM_NetSafe 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  642. #max SARE_FREE_WEBM_NetSafe 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  643. #counts SARE_FREE_WEBM_NetSafe 16s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  644. #counts SARE_FREE_WEBM_NetSafe 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  645. #max SARE_FREE_WEBM_NetSafe 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
  646. header SARE_FREE_WEBM_Netster From =~ /\bnetster\.com/i
  647. describe SARE_FREE_WEBM_Netster Sender used free email account - may be spammer
  648. score SARE_FREE_WEBM_Netster 0.222
  649. #ham SARE_FREE_WEBM_Netster confirmed (1)
  650. #counts SARE_FREE_WEBM_Netster 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  651. #max SARE_FREE_WEBM_Netster 43s/0h of 125163 corpus (104972s/20191h) 03/28/04
  652. #counts SARE_FREE_WEBM_Netster 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  653. #max SARE_FREE_WEBM_Netster 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  654. #counts SARE_FREE_WEBM_Netster 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  655. #max SARE_FREE_WEBM_Netster 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  656. #counts SARE_FREE_WEBM_Netster 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  657. #max SARE_FREE_WEBM_Netster 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  658. #counts SARE_FREE_WEBM_Netster 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  659. #counts SARE_FREE_WEBM_Netster 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  660. header SARE_FREE_WEBM_PlTenbi From =~ /\btenbit\.pl/i
  661. describe SARE_FREE_WEBM_PlTenbi Sender used free email account - may be spammer
  662. score SARE_FREE_WEBM_PlTenbi 1.083
  663. #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  664. #max SARE_FREE_WEBM_PlTenbi 83s/0h of 115937 corpus (94614s/21323h) 04/29/04
  665. #counts SARE_FREE_WEBM_PlTenbi 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  666. #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  667. #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  668. #max SARE_FREE_WEBM_PlTenbi 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  669. #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  670. #max SARE_FREE_WEBM_PlTenbi 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  671. #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  672. #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  673. header SARE_FREE_WEBM_ZCom05 From =~ /\b(?:redwhitearmy|emailaccount)\.com/i
  674. describe SARE_FREE_WEBM_ZCom05 Sender used free email account - may be spammer
  675. score SARE_FREE_WEBM_ZCom05 0.972
  676. #ham SARE_FREE_WEBM_ZCom05 confirmed (1)
  677. #counts SARE_FREE_WEBM_ZCom05 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  678. #max SARE_FREE_WEBM_ZCom05 183s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  679. #counts SARE_FREE_WEBM_ZCom05 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  680. #max SARE_FREE_WEBM_ZCom05 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  681. #counts SARE_FREE_WEBM_ZCom05 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  682. #max SARE_FREE_WEBM_ZCom05 54s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  683. #counts SARE_FREE_WEBM_ZCom05 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  684. #max SARE_FREE_WEBM_ZCom05 14s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  685. #counts SARE_FREE_WEBM_ZCom05 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  686. #counts SARE_FREE_WEBM_ZCom05 32s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  687. header SARE_FREE_WEBM_Whoever From =~ /\bWhoever\.com/i
  688. describe SARE_FREE_WEBM_Whoever Sender used free email account - may be spammer
  689. score SARE_FREE_WEBM_Whoever 0.711
  690. #counts SARE_FREE_WEBM_Whoever 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  691. #max SARE_FREE_WEBM_Whoever 18s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
  692. #counts SARE_FREE_WEBM_Whoever 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  693. #max SARE_FREE_WEBM_Whoever 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  694. #counts SARE_FREE_WEBM_Whoever 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  695. #max SARE_FREE_WEBM_Whoever 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  696. #counts SARE_FREE_WEBM_Whoever 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  697. #counts SARE_FREE_WEBM_Whoever 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  698. header SARE_FREE_WEBM_WOWMAIL From =~ /\@wowmail\.com/i
  699. describe SARE_FREE_WEBM_WOWMAIL Sender used free email account - may be spammer
  700. score SARE_FREE_WEBM_WOWMAIL 0.789
  701. #hist SARE_FREE_WEBM_WOWMAIL Created by Bob Menschel June 16 2004
  702. #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  703. #max SARE_FREE_WEBM_WOWMAIL 18s/0h of 92181 corpus (67808s/24373h RM) 07/18/04
  704. #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  705. #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  706. #max SARE_FREE_WEBM_WOWMAIL 7s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  707. #counts SARE_FREE_WEBM_WOWMAIL 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  708. #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  709. #max SARE_FREE_WEBM_WOWMAIL 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  710. #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  711. header SARE_FREE_WEBM_ZCom01 From =~ /\b(?:sify|superonline|coolgoose)\.com/i
  712. describe SARE_FREE_WEBM_ZCom01 Sender used free email account - may be spammer
  713. score SARE_FREE_WEBM_ZCom01 0.630
  714. #ham SARE_FREE_WEBM_ZCom01 confirmed
  715. #counts SARE_FREE_WEBM_ZCom01 7s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  716. #max SARE_FREE_WEBM_ZCom01 150s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  717. #counts SARE_FREE_WEBM_ZCom01 3s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  718. #counts SARE_FREE_WEBM_ZCom01 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  719. #counts SARE_FREE_WEBM_ZCom01 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  720. #max SARE_FREE_WEBM_ZCom01 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  721. #counts SARE_FREE_WEBM_ZCom01 16s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  722. #counts SARE_FREE_WEBM_ZCom01 33s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  723. #counts SARE_FREE_WEBM_ZCom01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  724. header SARE_FREE_WEBM_ZCom02 From =~ /\b(?:macmail|emailacc)\.com/i
  725. describe SARE_FREE_WEBM_ZCom02 Sender used free email account - may be spammer
  726. score SARE_FREE_WEBM_ZCom02 0.900
  727. #ham SARE_FREE_WEBM_ZCom02 Confirmed: macmail.com(2)
  728. #counts SARE_FREE_WEBM_ZCom02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  729. #max SARE_FREE_WEBM_ZCom02 122s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
  730. #counts SARE_FREE_WEBM_ZCom02 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  731. #counts SARE_FREE_WEBM_ZCom02 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  732. #max SARE_FREE_WEBM_ZCom02 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  733. #counts SARE_FREE_WEBM_ZCom02 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  734. #max SARE_FREE_WEBM_ZCom02 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  735. #counts SARE_FREE_WEBM_ZCom02 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  736. #max SARE_FREE_WEBM_ZCom02 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  737. #counts SARE_FREE_WEBM_ZCom02 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  738. #counts SARE_FREE_WEBM_ZCom02 43s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  739. header SARE_FREE_WEBM_ZCom03 From =~ /\b(?:pakistanmail|prontomail)\.com/i
  740. describe SARE_FREE_WEBM_ZCom03 Sender used free email account - may be spammer
  741. score SARE_FREE_WEBM_ZCom03 0.656
  742. #ham SARE_FREE_WEBM_ZCom03 valid email bounce messages
  743. #hist SARE_FREE_WEBM_ZCom03 Removed mail2world.com since it hit ham.
  744. #counts SARE_FREE_WEBM_ZCom03 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  745. #max SARE_FREE_WEBM_ZCom03 139s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  746. #counts SARE_FREE_WEBM_ZCom03 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  747. #counts SARE_FREE_WEBM_ZCom03 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  748. #counts SARE_FREE_WEBM_ZCom03 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  749. #max SARE_FREE_WEBM_ZCom03 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  750. #counts SARE_FREE_WEBM_ZCom03 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  751. #max SARE_FREE_WEBM_ZCom03 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  752. #counts SARE_FREE_WEBM_ZCom03 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  753. #counts SARE_FREE_WEBM_ZCom03 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  754. header SARE_FREE_WEBM_ZCom03B From =~ /\bmail2world\.com/i
  755. describe SARE_FREE_WEBM_ZCom03B Sender used free email account - may be spammer
  756. score SARE_FREE_WEBM_ZCom03B 0.917
  757. #ham SARE_FREE_WEBM_ZCom03B valid email bounce messages
  758. #counts SARE_FREE_WEBM_ZCom03B 12s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  759. #max SARE_FREE_WEBM_ZCom03B 139s/14h of 689155 corpus (348140s/341015h RM) 09/18/05
  760. #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  761. #counts SARE_FREE_WEBM_ZCom03B 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  762. #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  763. #max SARE_FREE_WEBM_ZCom03B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  764. #counts SARE_FREE_WEBM_ZCom03B 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  765. #max SARE_FREE_WEBM_ZCom03B 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  766. #counts SARE_FREE_WEBM_ZCom03B 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  767. #counts SARE_FREE_WEBM_ZCom03B 29s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  768. header SARE_FREE_WEBM_ZCom04 From =~ /\b(?:luxmail|olemail|sailormoon)\.com/i
  769. describe SARE_FREE_WEBM_ZCom04 Sender used free email account - may be spammer
  770. score SARE_FREE_WEBM_ZCom04 0.778
  771. #counts SARE_FREE_WEBM_ZCom04 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  772. #max SARE_FREE_WEBM_ZCom04 19s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
  773. #counts SARE_FREE_WEBM_ZCom04 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  774. #counts SARE_FREE_WEBM_ZCom04 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  775. #counts SARE_FREE_WEBM_ZCom04 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  776. #max SARE_FREE_WEBM_ZCom04 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  777. #counts SARE_FREE_WEBM_ZCom04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  778. #max SARE_FREE_WEBM_ZCom04 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  779. #counts SARE_FREE_WEBM_ZCom04 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  780. #counts SARE_FREE_WEBM_ZCom04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  781. header SARE_FREE_WEBM_ZCom06 From =~ /\b(?:clickitmail|deskpilot|killergreenmail|lancsmail|lovecat)\.com/i
  782. describe SARE_FREE_WEBM_ZCom06 Sender used free email account - may be spammer
  783. score SARE_FREE_WEBM_ZCom06 0.711
  784. #ham SARE_FREE_WEBM_ZCom06 confirmed
  785. #counts SARE_FREE_WEBM_ZCom06 3s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  786. #max SARE_FREE_WEBM_ZCom06 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  787. #counts SARE_FREE_WEBM_ZCom06 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  788. #counts SARE_FREE_WEBM_ZCom06 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  789. #counts SARE_FREE_WEBM_ZCom06 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  790. #max SARE_FREE_WEBM_ZCom06 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  791. #counts SARE_FREE_WEBM_ZCom06 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  792. #counts SARE_FREE_WEBM_ZCom06 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  793. #counts SARE_FREE_WEBM_ZCom06 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  794. header SARE_FREE_WEBM_ZCom07 From =~ /\b(?:bolt|amnestymail)\.com/i
  795. describe SARE_FREE_WEBM_ZCom07 Sender used free email account - may be spammer
  796. score SARE_FREE_WEBM_ZCom07 0.856
  797. #counts SARE_FREE_WEBM_ZCom07 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  798. #max SARE_FREE_WEBM_ZCom07 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  799. #counts SARE_FREE_WEBM_ZCom07 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  800. #counts SARE_FREE_WEBM_ZCom07 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  801. #max SARE_FREE_WEBM_ZCom07 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  802. #counts SARE_FREE_WEBM_ZCom07 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  803. #max SARE_FREE_WEBM_ZCom07 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  804. #counts SARE_FREE_WEBM_ZCom07 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  805. #counts SARE_FREE_WEBM_ZCom07 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  806. header SARE_FREE_WEBM_ZZa001 From =~ /\@702mail\.co\.za/i
  807. describe SARE_FREE_WEBM_ZZa001 Sender used free email account - may be spammer
  808. score SARE_FREE_WEBM_ZZa001 0.822
  809. #counts SARE_FREE_WEBM_ZZa001 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  810. #max SARE_FREE_WEBM_ZZa001 38s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
  811. #counts SARE_FREE_WEBM_ZZa001 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
  812. #counts SARE_FREE_WEBM_ZZa001 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  813. #max SARE_FREE_WEBM_ZZa001 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  814. #counts SARE_FREE_WEBM_ZZa001 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  815. #counts SARE_FREE_WEBM_ZZa001 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  816. #counts SARE_FREE_WEBM_ZZa001 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  817. body __SARE_FREE_WEBM_SERV1 /Mail sent from WebMail service/i
  818. body __SARE_FREE_WEBM_SERV2 /spedita dal servizio WebMail/i
  819. body __SARE_FREE_WEBM_SERV3 /Mail enviado desde el servicio de WebMail/i
  820. body __SARE_FREE_WEBM_SERV4 /Mail inviata dal WebMail service/i
  821. body __SARE_FREE_WEBM_SERV5 /le module WebMail des service/i
  822. body __SARE_FREE_WEBM_SERV6 /Servizio WebMail offerto/i
  823. meta SARE_FREE_WEBM_SERV (__SARE_FREE_WEBM_SERV1 || __SARE_FREE_WEBM_SERV2 || __SARE_FREE_WEBM_SERV3 || __SARE_FREE_WEBM_SERV4 || __SARE_FREE_WEBM_SERV5 || __SARE_FREE_WEBM_SERV6)
  824. describe SARE_FREE_WEBM_SERV Sent from Webmail server
  825. score SARE_FREE_WEBM_SERV 0.698
  826. #ham SARE_FREE_WEBM_SERV confirmed (several)
  827. #hist SARE_FREE_WEBM_SERV Kevin Peuhkurinen, May 2005
  828. #counts SARE_FREE_WEBM_SERV 25s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
  829. #max SARE_FREE_WEBM_SERV 1104s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
  830. #counts SARE_FREE_WEBM_SERV 28s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  831. #counts SARE_FREE_WEBM_SERV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  832. #max SARE_FREE_WEBM_SERV 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  833. #counts SARE_FREE_WEBM_SERV 48s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  834. #counts SARE_FREE_WEBM_SERV 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  835. #counts SARE_FREE_WEBM_SERV 10s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  836. #max SARE_FREE_WEBM_SERV 58s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  837. #counts SARE_FREE_WEBM_SERV 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  838. #####################################################################################
  839. # SARE Message-ID rules
  840. ######## ###################### ##################################################
  841. header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
  842. header __SARE_MSGID_D1D1D2D16 MESSAGEID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
  843. meta SARE_MSGID_D1D1D2D16 !__SARE_RECV_LOCALHOST && __SARE_MSGID_D1D1D2D16
  844. describe SARE_MSGID_D1D1D2D16 Message-ID has ratware pattern (9.9.99.9999999hex@
  845. score SARE_MSGID_D1D1D2D16 1.666
  846. #counts SARE_MSGID_D1D1D2D16 13s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  847. #max SARE_MSGID_D1D1D2D16 590s/0h of 115439 corpus (94250s/21189h) 04/30/04
  848. #counts SARE_MSGID_D1D1D2D16 3s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  849. #counts SARE_MSGID_D1D1D2D16 46s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  850. #counts SARE_MSGID_D1D1D2D16 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  851. #counts SARE_MSGID_D1D1D2D16 22s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  852. #counts SARE_MSGID_D1D1D2D16 109s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  853. #counts SARE_MSGID_D1D1D2D16 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  854. header SARE_MSGID_D5D7 MESSAGEID =~ /<\d{5}\.\d{7}\@/
  855. describe SARE_MSGID_D5D7 Message-ID has ratware pattern (99999.9999999@)
  856. score SARE_MSGID_D5D7 0.622
  857. #ham SARE_MSGID_D5D7 confirmed
  858. #counts SARE_MSGID_D5D7 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
  859. #max SARE_MSGID_D5D7 4s/1h of 114238 corpus (81067s/33171h RM) 01/15/05
  860. #counts SARE_MSGID_D5D7 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  861. #counts SARE_MSGID_D5D7 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  862. #max SARE_MSGID_D5D7 25s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  863. #counts SARE_MSGID_D5D7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  864. #counts SARE_MSGID_D5D7 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  865. header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
  866. header __SARE_MSGID_DDDASH MESSAGEID =~ /<\d\d?[\$-]/
  867. meta SARE_MSGID_DDDASH __SARE_MSGID_DDDASH && !__SARE_RECV_LOCALHOST
  868. describe SARE_MSGID_DDDASH Message-ID has ratware pattern (9-, 9$, 99-)
  869. score SARE_MSGID_DDDASH 1.666
  870. #counts SARE_MSGID_DDDASH 2420s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
  871. #max SARE_MSGID_DDDASH 3039s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
  872. #counts SARE_MSGID_DDDASH 3230s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  873. #counts SARE_MSGID_DDDASH 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  874. #max SARE_MSGID_DDDASH 114s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
  875. #counts SARE_MSGID_DDDASH 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  876. #counts SARE_MSGID_D5D7 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  877. #max SARE_MSGID_DDDASH 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  878. #counts SARE_MSGID_DDDASH 13030s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
  879. #counts SARE_MSGID_DDDASH 206s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  880. header SARE_MSGID_LONG50 MESSAGEID =~ /[a-z0-9\$]{50}/
  881. describe SARE_MSGID_LONG50 Exceedingly long message id
  882. score SARE_MSGID_LONG50 0.619
  883. #ihst SARE_MSGID_LONG50 Created by Frederic Tarasevicius
  884. #counts SARE_MSGID_LONG50 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  885. #max SARE_MSGID_LONG50 575s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  886. #counts SARE_MSGID_LONG50 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  887. #counts SARE_MSGID_LONG50 15s/5h of 22942 corpus (17234s/5708h MY) 05/14/06
  888. #max SARE_MSGID_LONG50 38s/2h of 47283 corpus (43206s/4077h MY) 06/05/05
  889. #counts SARE_MSGID_LONG50 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  890. #max SARE_MSGID_LONG50 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  891. #counts SARE_MSGID_LONG50 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  892. #counts SARE_MSGID_LONG50 10s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  893. header SARE_MSGID_QMAIL1 MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
  894. describe SARE_MSGID_QMAIL1 Contains spoofing message id
  895. score SARE_MSGID_QMAIL1 0.056
  896. #ham SARE_MSGID_QMAIL1 confirmed
  897. #hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004
  898. #counts SARE_MSGID_QMAIL1 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  899. #max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
  900. #counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  901. #max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  902. #counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  903. #max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  904. #counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  905. #counts SARE_MSGID_QMAIL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  906. #counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  907. header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i!
  908. describe SARE_MSGID_RATWARE2 Message-Id is <digits.digits@letters>
  909. score SARE_MSGID_RATWARE2 0.639
  910. #hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800
  911. #matches SARE_MSGID_RATWARE2 numbers.numbers@letters
  912. #counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  913. #max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04
  914. #counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  915. #counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  916. #max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  917. #counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  918. #max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  919. #counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  920. #max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  921. #counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  922. #counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  923. header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/
  924. describe SARE_MSGID_SHORT Message ID is too short to be valid.
  925. score SARE_MSGID_SHORT 0.856
  926. #hist SARE_MSGID_SHORT RM_hm_ShortMsgid6
  927. #counts SARE_MSGID_SHORT 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  928. #max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
  929. #counts SARE_MSGID_SHORT 16s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  930. #counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  931. #max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  932. #counts SARE_MSGID_SHORT 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  933. #max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  934. #counts SARE_MSGID_SHORT 18s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  935. #counts SARE_MSGID_SHORT 28s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  936. #####################################################################################
  937. # SARE Received Header Rules
  938. ######## ###################### ##################################################
  939. header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/
  940. score SARE_HELO_EQ_DSL_3 1.022
  941. #ham SARE_HELO_EQ_DSL_3 confirmed (several)
  942. #hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005
  943. #counts SARE_HELO_EQ_DSL_3 232s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  944. #max SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
  945. #counts SARE_HELO_EQ_DSL_3 51s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  946. #counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  947. #max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  948. #counts SARE_HELO_EQ_DSL_3 23s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
  949. #max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05
  950. #counts SARE_HELO_EQ_DSL_3 22s/2h of 13313 corpus (7438s/5875h CT) 05/14/06
  951. #max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
  952. #counts SARE_HELO_EQ_DSL_3 84s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
  953. #counts SARE_HELO_EQ_DSL_3 117s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  954. header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i
  955. score SARE_HELO_EQ_PPPOE 0.555
  956. #stype SARE_HELO_EQ_PPPOE spamp
  957. #hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005
  958. #counts SARE_HELO_EQ_PPPOE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  959. #max SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  960. #counts SARE_HELO_EQ_PPPOE 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  961. #counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  962. #counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  963. #counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  964. #counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  965. header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i
  966. describe SARE_HELO_YAHOO Received header has spamsign
  967. score SARE_HELO_YAHOO 0.828
  968. #ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552)
  969. #hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004
  970. #counts SARE_HELO_YAHOO 41s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  971. #max SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
  972. #counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  973. #counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  974. #counts SARE_HELO_YAHOO 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  975. #counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  976. header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/
  977. describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header
  978. score SARE_HEAD_8BIT_RECV 1.666
  979. #ham SARE_HEAD_8BIT_RECV verified (1)
  980. #hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243
  981. #counts SARE_HEAD_8BIT_RECV 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  982. #max SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  983. #counts SARE_HEAD_8BIT_RECV 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  984. #counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  985. #counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
  986. #counts SARE_HEAD_8BIT_RECV 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  987. #counts SARE_HEAD_8BIT_RECV 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  988. #counts SARE_HEAD_8BIT_RECV 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  989. header SARE_RECV_FEP5 Received =~ /by fep5\./i
  990. describe SARE_RECV_FEP5 Message contains known spam format
  991. score SARE_RECV_FEP5 1.666
  992. #ham SARE_RECV_FEP5 verified (1)
  993. #counts SARE_RECV_FEP5 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  994. #max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
  995. #counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  996. #counts SARE_RECV_FEP5 27s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  997. #max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  998. #counts SARE_RECV_FEP5 208s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  999. #counts SARE_RECV_FEP5 72s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1000. #counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1001. header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/
  1002. describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer
  1003. score SARE_RECV_MDNETCOMBR 0.756
  1004. #counts SARE_RECV_MDNETCOMBR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1005. #max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
  1006. #counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1007. #counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1008. #counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1009. #counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1010. header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i
  1011. describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source
  1012. score SARE_RECV_PATMEDIA 0.964
  1013. #stype SARE_RECV_PATMEDIA spamp
  1014. #hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004
  1015. #counts SARE_RECV_PATMEDIA 10s/19h of 173032 corpus (99056s/73976h RM) 05/11/06
  1016. #max SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
  1017. #counts SARE_RECV_PATMEDIA 15s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  1018. #counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1019. #counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1020. #counts SARE_RECV_PATMEDIA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1021. #max SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1022. #counts SARE_RECV_PATMEDIA 93s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1023. #counts SARE_RECV_PATMEDIA 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1024. header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i
  1025. header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i
  1026. header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i
  1027. meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
  1028. meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
  1029. describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header
  1030. describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header
  1031. describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header
  1032. score SARE_RECV_PORTHELO_1 1.666
  1033. #note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically.
  1034. #note SARE_RECV_PORTHELO_1 We score them based on their "safety".
  1035. #hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005
  1036. #counts SARE_RECV_PORTHELO_1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1037. #max SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1038. #counts SARE_RECV_PORTHELO_1 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1039. #max SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1040. #counts SARE_RECV_PORTHELO_1 116s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1041. #counts SARE_RECV_PORTHELO_1 0s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1042. #max SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
  1043. #counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05
  1044. #counts SARE_RECV_PORTHELO_1 230s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
  1045. #max SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1046. score SARE_RECV_PORTHELO_2 2.000
  1047. #counts SARE_RECV_PORTHELO_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1048. score SARE_RECV_PORTHELO_3 2.222
  1049. #counts SARE_RECV_PORTHELO_3 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1050. #max SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1051. #counts SARE_RECV_PORTHELO_3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1052. header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i
  1053. describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain
  1054. score SARE_RECV_SKANOVA 0.660
  1055. #ham SARE_RECV_SKANOVA verified (several)
  1056. #hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004
  1057. #counts SARE_RECV_SKANOVA 37s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
  1058. #max SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
  1059. #counts SARE_RECV_SKANOVA 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1060. #counts SARE_RECV_SKANOVA 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1061. #max SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1062. #counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
  1063. #counts SARE_RECV_SKANOVA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1064. #max SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1065. #counts SARE_RECV_SKANOVA 43s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1066. #counts SARE_RECV_SKANOVA 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1067. header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/
  1068. describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain
  1069. score SARE_RECV_SPAM_DOMN02 1.666
  1070. #ham SARE_RECV_SPAM_DOMN02 Confirmed (5)
  1071. #counts SARE_RECV_SPAM_DOMN02 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1072. #max SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
  1073. #counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1074. #counts SARE_RECV_SPAM_DOMN02 168s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1075. #max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  1076. #counts SARE_RECV_SPAM_DOMN02 17s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1077. #max SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1078. #counts SARE_RECV_SPAM_DOMN02 60s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1079. #counts SARE_RECV_SPAM_DOMN02 631s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1080. #counts SARE_RECV_SPAM_DOMN02 194s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1081. header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/
  1082. describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain
  1083. score SARE_RECV_SPAM_DOMN04 0.772
  1084. #ham SARE_RECV_SPAM_DOMN04 verified (3)
  1085. #counts SARE_RECV_SPAM_DOMN04 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1086. #max SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
  1087. #counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1088. #max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1089. #counts SARE_RECV_SPAM_DOMN04 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1090. #counts SARE_RECV_SPAM_DOMN04 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1091. #max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1092. #counts SARE_RECV_SPAM_DOMN04 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1093. #counts SARE_RECV_SPAM_DOMN04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1094. header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i
  1095. describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source
  1096. score SARE_RECV_SPAM_DOMN06 0.678
  1097. #ham SARE_RECV_SPAM_DOMN06 verified (1)
  1098. #hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004
  1099. #counts SARE_RECV_SPAM_DOMN06 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1100. #max SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1101. #counts SARE_RECV_SPAM_DOMN06 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1102. #counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1103. #counts SARE_RECV_SPAM_DOMN06 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1104. #max SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1105. #counts SARE_RECV_SPAM_DOMN06 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1106. #max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1107. #counts SARE_RECV_SPAM_DOMN06 27s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1108. #counts SARE_RECV_SPAM_DOMN06 15s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1109. header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/
  1110. describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain
  1111. score SARE_RECV_SPAM_DOMN0a 0.917
  1112. #ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE
  1113. #hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005
  1114. #counts SARE_RECV_SPAM_DOMN0a 28s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1115. #max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
  1116. #counts SARE_RECV_SPAM_DOMN0a 19s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1117. #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1118. #max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1119. #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1120. #max SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1121. #counts SARE_RECV_SPAM_DOMN0a 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1122. #counts SARE_RECV_SPAM_DOMN0a 8s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1123. #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1124. header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
  1125. describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
  1126. score SARE_RECV_SPAM_DOMN0b 1.666
  1127. #ham SARE_RECV_SPAM_DOMN0b confirmed (many)
  1128. #counts SARE_RECV_SPAM_DOMN0b 1272s/39h of 173032 corpus (99056s/73976h RM) 05/11/06
  1129. #max SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05
  1130. #counts SARE_RECV_SPAM_DOMN0b 809s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1131. #counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1132. #counts SARE_RECV_SPAM_DOMN0b 25s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1133. #max SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1134. #counts SARE_RECV_SPAM_DOMN0b 43s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1135. #counts SARE_RECV_SPAM_DOMN0b 600s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1136. #counts SARE_RECV_SPAM_DOMN0b 399s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1137. header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/
  1138. describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain
  1139. score SARE_RECV_SPEEDY_AR 0.808
  1140. #ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" <postmaster@hushport.com>, Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89])
  1141. #counts SARE_RECV_SPEEDY_AR 60s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  1142. #max SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1143. #counts SARE_RECV_SPEEDY_AR 10s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  1144. #counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1145. #counts SARE_RECV_SPEEDY_AR 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1146. #max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1147. #counts SARE_RECV_SPEEDY_AR 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1148. #max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1149. #counts SARE_RECV_SPEEDY_AR 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1150. #counts SARE_RECV_SPEEDY_AR 51s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1151. header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i
  1152. describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source
  1153. score SARE_RECV_UK2NET2 0.917
  1154. #hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004
  1155. #counts SARE_RECV_UK2NET2 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1156. #counts SARE_RECV_UK2NET2 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1157. #counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1158. #max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1159. #counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1160. #max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1161. #counts SARE_RECV_UK2NET2 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1162. #max SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1163. #counts SARE_RECV_UK2NET2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1164. #counts SARE_RECV_UK2NET2 7s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1165. header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/
  1166. describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer
  1167. score SARE_RECV_VIRTUACOMBR 1.193
  1168. #ham SARE_RECV_VIRTUACOMBR confirmed (4)
  1169. #hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr
  1170. #counts SARE_RECV_VIRTUACOMBR 32s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  1171. #max SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05
  1172. #counts SARE_RECV_VIRTUACOMBR 36s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1173. #counts SARE_RECV_VIRTUACOMBR 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1174. #max SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1175. #counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1176. #counts SARE_RECV_VIRTUACOMBR 25s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1177. #max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1178. #counts SARE_RECV_VIRTUACOMBR 193s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1179. #counts SARE_RECV_VIRTUACOMBR 63s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1180. #####################################################################################
  1181. # SARE Received Header IP Address Rules
  1182. ######## ###################### ##################################################
  1183. #eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/
  1184. header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/
  1185. header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/
  1186. header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/
  1187. header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/
  1188. header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/
  1189. header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/
  1190. meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6
  1191. describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer
  1192. score SARE_RECV_BEZEQINT_B 0.763
  1193. #ham SARE_RECV_BEZEQINT_B verified (4)
  1194. #hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT
  1195. #counts SARE_RECV_BEZEQINT_B 23s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1196. #max SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
  1197. #counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1198. #max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1199. #counts SARE_RECV_BEZEQINT_B 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1200. #max SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1201. #counts SARE_RECV_BEZEQINT_B 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1202. #max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1203. #counts SARE_RECV_BEZEQINT_B 38s/2h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1204. #counts SARE_RECV_BEZEQINT_B 20s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1205. header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
  1206. describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address
  1207. score SARE_RECV_IP_FROMIP1 1.666
  1208. #hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
  1209. #ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank
  1210. #counts SARE_RECV_IP_FROMIP1 598s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
  1211. #max SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
  1212. #counts SARE_RECV_IP_FROMIP1 186s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1213. #counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1214. #max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1215. #counts SARE_RECV_IP_FROMIP1 18s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1216. #max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1217. #counts SARE_RECV_IP_FROMIP1 81s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1218. #max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1219. #counts SARE_RECV_IP_FROMIP1 173s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1220. #counts SARE_RECV_IP_FROMIP1 730s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1221. header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i
  1222. describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address
  1223. score SARE_RECV_IP_FROMIP3 0.711
  1224. #match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500
  1225. #ham SARE_RECV_IP_FROMIP3 Messages from a cell phone
  1226. #hist SARE_RECV_IP_FROMIP3 From Fred <tech2@i-is.com>, Fri, 2 Apr 2004, RE_hrip_IPfromIPc
  1227. #counts SARE_RECV_IP_FROMIP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1228. #max SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1229. #counts SARE_RECV_IP_FROMIP3 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1230. #counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1231. #max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  1232. #counts SARE_RECV_IP_FROMIP3 1s/4h of 22942 corpus (17234s/5708h MY) 05/14/06
  1233. #max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
  1234. #counts SARE_RECV_IP_FROMIP3 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1235. #max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1236. #counts SARE_RECV_IP_FROMIP3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1237. #counts SARE_RECV_IP_FROMIP3 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1238. header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/
  1239. describe SARE_RECV_IP_061050 Spam passed through possible spammer relay
  1240. score SARE_RECV_IP_061050 1.544
  1241. #ham SARE_RECV_IP_061050 confirmed (2)
  1242. #counts SARE_RECV_IP_061050 66s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1243. #max SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
  1244. #counts SARE_RECV_IP_061050 62s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1245. #counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1246. #counts SARE_RECV_IP_061050 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1247. #max SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1248. #counts SARE_RECV_IP_061050 7s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1249. #counts SARE_RECV_IP_061050 23s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1250. #counts SARE_RECV_IP_061050 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1251. header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/
  1252. describe SARE_RECV_IP_061072 Passed through possible spammer relay or source
  1253. score SARE_RECV_IP_061072 1.592
  1254. #note SARE_RECV_IP_061072 Korea Telecom
  1255. #hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004
  1256. #ham SARE_RECV_IP_061072 verified (1)
  1257. #counts SARE_RECV_IP_061072 42s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  1258. #max SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
  1259. #counts SARE_RECV_IP_061072 61s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1260. #counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1261. #counts SARE_RECV_IP_061072 11s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1262. #max SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1263. #counts SARE_RECV_IP_061072 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1264. #max SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1265. #counts SARE_RECV_IP_061072 177s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1266. #counts SARE_RECV_IP_061072 33s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1267. header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/
  1268. describe SARE_RECV_IP_061187 Passed through possible spammer relay or source
  1269. score SARE_RECV_IP_061187 0.694
  1270. #hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004
  1271. #counts SARE_RECV_IP_061187 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1272. #max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05
  1273. #counts SARE_RECV_IP_061187 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1274. #counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1275. #max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
  1276. #counts SARE_RECV_IP_061187 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1277. #max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1278. #counts SARE_RECV_IP_061187 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1279. #counts SARE_RECV_IP_061187 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1280. #counts SARE_RECV_IP_061187 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1281. header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/
  1282. describe SARE_RECV_IP_061190 Spam passed through possible spammer relay
  1283. score SARE_RECV_IP_061190 1.111
  1284. #stype SARE_RECV_IP_061190 spamp
  1285. #hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004
  1286. #counts SARE_RECV_IP_061190 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1287. #max SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1288. #counts SARE_RECV_IP_061190 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1289. #counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1290. #max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1291. #counts SARE_RECV_IP_061190 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1292. #max SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1293. #counts SARE_RECV_IP_061190 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1294. #counts SARE_RECV_IP_061190 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1295. #counts SARE_RECV_IP_061190 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1296. header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/
  1297. describe SARE_RECV_IP_061228 Spam passed through possible spammer relay
  1298. score SARE_RECV_IP_061228 0.895
  1299. #ham SARE_RECV_IP_061228 verified (1)
  1300. #counts SARE_RECV_IP_061228 229s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
  1301. #max SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
  1302. #counts SARE_RECV_IP_061228 140s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1303. #counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1304. #counts SARE_RECV_IP_061228 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1305. #max SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1306. #counts SARE_RECV_IP_061228 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1307. #counts SARE_RECV_IP_061228 85s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1308. #counts SARE_RECV_IP_061228 80s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1309. header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/
  1310. describe SARE_RECV_IP_066017 Passed through possible spammer relay or source
  1311. score SARE_RECV_IP_066017 0.637
  1312. #ham SARE_RECV_IP_066017 confirmed (8)
  1313. #note SARE_RECV_IP_066017 Yipes Communications Inc
  1314. #hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004
  1315. #counts SARE_RECV_IP_066017 16s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1316. #max SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
  1317. #counts SARE_RECV_IP_066017 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1318. #counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1319. #max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1320. #counts SARE_RECV_IP_066017 61s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1321. #max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1322. #counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05
  1323. #max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05
  1324. #counts SARE_RECV_IP_066017 52s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1325. #counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1326. header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/
  1327. describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay
  1328. score SARE_RECV_IP_066165224 1.278
  1329. #ham SARE_RECV_IP_066165224 confirmed: 3
  1330. #hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005
  1331. #note SARE_RECV_IP_066165224 Cyber World Internet Services
  1332. #counts SARE_RECV_IP_066165224 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1333. #max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
  1334. #counts SARE_RECV_IP_066165224 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1335. #max SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1336. #counts SARE_RECV_IP_066165224 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1337. #counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1338. #counts SARE_RECV_IP_066165224 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1339. #max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1340. header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/
  1341. describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay
  1342. score SARE_RECV_IP_069050210 0.700
  1343. #ham SARE_RECV_IP_069050210 confirmed (2)
  1344. #hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005
  1345. #counts SARE_RECV_IP_069050210 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1346. #max SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1347. #counts SARE_RECV_IP_069050210 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1348. #counts SARE_RECV_IP_069050210 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1349. #max SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
  1350. #counts SARE_RECV_IP_069050210 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1351. #max SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1352. header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/
  1353. describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay
  1354. score SARE_RECV_IP_069060096 1.666
  1355. #ham SARE_RECV_IP_069060096 verified (1)
  1356. #hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005
  1357. #counts SARE_RECV_IP_069060096 112s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
  1358. #max SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1359. #counts SARE_RECV_IP_069060096 11s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  1360. #counts SARE_RECV_IP_069060096 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1361. #counts SARE_RECV_IP_069060096 409s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1362. #counts SARE_RECV_IP_069060096 166s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1363. #counts SARE_RECV_IP_069060096 368s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1364. #max SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1365. header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/
  1366. describe SARE_RECV_IP_082080 Spam passed through possible spammer relay
  1367. score SARE_RECV_IP_082080 1.111
  1368. #stype SARE_RECV_IP_082080 spamp
  1369. #counts SARE_RECV_IP_082080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1370. #max SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1371. #counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1372. #max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1373. #counts SARE_RECV_IP_082080 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1374. #max SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1375. #counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1376. #counts SARE_RECV_IP_082080 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1377. #counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1378. header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/
  1379. describe SARE_RECV_IP_082102 Spam passed through possible spammer relay
  1380. score SARE_RECV_IP_082102 0.555
  1381. #stype SARE_RECV_IP_082102 spamp
  1382. #hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004
  1383. #counts SARE_RECV_IP_082102 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1384. #max SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1385. #counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1386. #counts SARE_RECV_IP_082102 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1387. #max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1388. #counts SARE_RECV_IP_082102 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1389. #max SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1390. #counts SARE_RECV_IP_082102 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1391. #counts SARE_RECV_IP_082102 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1392. header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/
  1393. describe SARE_RECV_IP_082154 Passed through possible spammer relay or source
  1394. score SARE_RECV_IP_082154 1.666
  1395. #ham SARE_RECV_IP_082154 confirmed (1)
  1396. #hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004
  1397. #counts SARE_RECV_IP_082154 256s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1398. #max SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
  1399. #counts SARE_RECV_IP_082154 62s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1400. #counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1401. #counts SARE_RECV_IP_082154 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1402. #max SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1403. #counts SARE_RECV_IP_082154 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1404. #counts SARE_RECV_IP_082154 231s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1405. #counts SARE_RECV_IP_082154 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1406. header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/
  1407. describe SARE_RECV_IP_083028 Passed through possible spammer relay or source
  1408. score SARE_RECV_IP_083028 1.666
  1409. #ham SARE_RECV_IP_083028 verified (1)
  1410. #hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004
  1411. #note SARE_RECV_IP_083028 Large block of IP addresses in Poland
  1412. #counts SARE_RECV_IP_083028 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1413. #max SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1414. #counts SARE_RECV_IP_083028 157s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1415. #counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1416. #counts SARE_RECV_IP_083028 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1417. #max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  1418. #counts SARE_RECV_IP_083028 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1419. #counts SARE_RECV_IP_083028 42s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1420. #counts SARE_RECV_IP_083028 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1421. header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/
  1422. describe SARE_RECV_IP_140117 Passed through possible spammer relay or source
  1423. score SARE_RECV_IP_140117 0.690
  1424. #ham SARE_RECV_IP_140117 confirmed (1)
  1425. #hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004
  1426. #note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan
  1427. #counts SARE_RECV_IP_140117 26s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1428. #max SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1429. #counts SARE_RECV_IP_140117 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1430. #counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1431. #counts SARE_RECV_IP_140117 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1432. #counts SARE_RECV_IP_140117 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1433. #max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1434. #counts SARE_RECV_IP_140117 22s/4h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1435. #counts SARE_RECV_IP_140117 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1436. header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/
  1437. describe SARE_RECV_IP_142046 Passed through possible spammer relay or source
  1438. score SARE_RECV_IP_142046 0.555
  1439. #stype SARE_RECV_IP_142046 spamp
  1440. #hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info
  1441. #counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
  1442. #max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
  1443. #counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1444. #counts SARE_RECV_IP_142046 5s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06
  1445. #counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1446. #counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  1447. #counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  1448. header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/
  1449. describe SARE_RECV_IP_192116 Passed through possible spammer relay or source
  1450. score SARE_RECV_IP_192116 0.861
  1451. #note SARE_RECV_IP_192116 GILAT-SATCOM
  1452. #hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004
  1453. #counts SARE_RECV_IP_192116 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1454. #max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  1455. #counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1456. #counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1457. #counts SARE_RECV_IP_192116 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1458. #max SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1459. #counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1460. header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/
  1461. describe SARE_RECV_IP_200150 Spam passed through possible spammer relay
  1462. score SARE_RECV_IP_200150 0.612
  1463. #ham SARE_RECV_IP_200150 confirmed (2)
  1464. #hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004
  1465. #counts SARE_RECV_IP_200150 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1466. #max SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
  1467. #counts SARE_RECV_IP_200150 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1468. #counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1469. #counts SARE_RECV_IP_200150 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1470. #counts SARE_RECV_IP_200150 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1471. #max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1472. #counts SARE_RECV_IP_200150 14s/5h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1473. #counts SARE_RECV_IP_200150 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1474. header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/
  1475. describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay
  1476. score SARE_RECV_IP_203210128 0.959
  1477. #ham SARE_RECV_IP_203210128 verified (3)
  1478. #hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005
  1479. #note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT)
  1480. #counts SARE_RECV_IP_203210128 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1481. #max SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
  1482. #counts SARE_RECV_IP_203210128 43s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1483. #counts SARE_RECV_IP_203210128 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1484. #max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1485. #counts SARE_RECV_IP_203210128 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1486. #counts SARE_RECV_IP_203210128 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1487. #max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1488. #counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1489. #counts SARE_RECV_IP_203210128 116s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1490. header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/
  1491. describe SARE_RECV_IP_203177 Passed through possible spammer relay or source
  1492. score SARE_RECV_IP_203177 0.772
  1493. #hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004
  1494. #ham SARE_RECV_IP_203177 verified (1)
  1495. #counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1496. #max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  1497. #counts SARE_RECV_IP_203177 23s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1498. #counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1499. #counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1500. #max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1501. #counts SARE_RECV_IP_203177 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1502. #max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1503. #counts SARE_RECV_IP_203177 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1504. #counts SARE_RECV_IP_203177 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1505. header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/
  1506. describe SARE_RECV_IP_206131 Spam passed through possible spammer relay
  1507. score SARE_RECV_IP_206131 1.666
  1508. #ham SARE_RECV_IP_206131 confirmed (1)
  1509. #hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info
  1510. #note SARE_RECV_IP_206131 Minerva Network Systems, Inc.
  1511. #counts SARE_RECV_IP_206131 54s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  1512. #max SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1513. #counts SARE_RECV_IP_206131 692s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1514. #counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
  1515. #counts SARE_RECV_IP_206131 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1516. #max SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1517. #counts SARE_RECV_IP_206131 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1518. #counts SARE_RECV_IP_206131 1699s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1519. #counts SARE_RECV_IP_206131 31s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1520. header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
  1521. describe SARE_RECV_IP_209051 Spam passed through possible spammer relay
  1522. score SARE_RECV_IP_209051 1.111
  1523. #stype SARE_RECV_IP_209051 spamp
  1524. #hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005
  1525. #note SARE_RECV_IP_209051 S-INFOTECH, Inc.
  1526. #counts SARE_RECV_IP_209051 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1527. #max SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1528. #counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  1529. #counts SARE_RECV_IP_209051 22s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1530. #counts SARE_RECV_IP_209051 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1531. #counts SARE_RECV_IP_209051 1s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
  1532. header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/
  1533. describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay
  1534. score SARE_RECV_IP_216118120 2.222
  1535. #hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005
  1536. #counts SARE_RECV_IP_216118120 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1537. #max SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1538. #counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  1539. #counts SARE_RECV_IP_216118120 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1540. #counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
  1541. header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/
  1542. describe SARE_RECV_IP_211216 Passed through possible spammer relay or source
  1543. score SARE_RECV_IP_211216 0.978
  1544. #stype SARE_RECV_IP_211216 max:1.000
  1545. #ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator
  1546. #hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004
  1547. #note SARE_RECV_IP_211216 Korea Telecom
  1548. #note SARE_RECV_IP_211216 Score kept low to avoid FPs for naver.com
  1549. #counts SARE_RECV_IP_211216 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1550. #max SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1551. #counts SARE_RECV_IP_211216 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1552. #counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1553. #counts SARE_RECV_IP_211216 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1554. #max SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1555. #counts SARE_RECV_IP_211216 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1556. #max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1557. #counts SARE_RECV_IP_211216 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1558. #counts SARE_RECV_IP_211216 14s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1559. header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/
  1560. describe SARE_RECV_IP_212068 Spam passed through possible spammer relay
  1561. score SARE_RECV_IP_212068 1.111
  1562. #stype SARE_RECV_IP_212068 spamp
  1563. #hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004
  1564. #counts SARE_RECV_IP_212068 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1565. #max SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1566. #counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1567. #counts SARE_RECV_IP_212068 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1568. #max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1569. #counts SARE_RECV_IP_212068 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1570. #max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1571. #counts SARE_RECV_IP_212068 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1572. #counts SARE_RECV_IP_212068 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1573. header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/
  1574. describe SARE_RECV_IP_216022 Spam passed through possible spammer relay
  1575. score SARE_RECV_IP_216022 1.666
  1576. #hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005
  1577. #counts SARE_RECV_IP_216022 270s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1578. #max SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
  1579. #counts SARE_RECV_IP_216022 196s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1580. #counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1581. #counts SARE_RECV_IP_216022 554s/6h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1582. #counts SARE_RECV_IP_216022 212s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1583. #counts SARE_RECV_IP_216022 307s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1584. header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/
  1585. describe SARE_RECV_IP_218070 Spam passed through possible spammer relay
  1586. score SARE_RECV_IP_218070 1.111
  1587. #stype SARE_RECV_IP_218070 spamp
  1588. #counts SARE_RECV_IP_218070 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1589. #max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04
  1590. #counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1591. #counts SARE_RECV_IP_218070 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1592. #max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  1593. #counts SARE_RECV_IP_218070 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1594. #max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1595. #counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1596. #counts SARE_RECV_IP_218070 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1597. header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/
  1598. describe SARE_RECV_IP_218072 Spam passed through possible spammer relay
  1599. score SARE_RECV_IP_218072 0.813
  1600. #hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004
  1601. #counts SARE_RECV_IP_218072 87s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1602. #counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1603. #max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  1604. #counts SARE_RECV_IP_218072 13s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1605. #counts SARE_RECV_IP_218072 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1606. #max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1607. #counts SARE_RECV_IP_218072 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1608. #max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1609. #counts SARE_RECV_IP_218072 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1610. #counts SARE_RECV_IP_218072 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1611. header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/
  1612. describe SARE_RECV_IP_218078 Passed through possible spammer relay or source
  1613. score SARE_RECV_IP_218078 1.666
  1614. #hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004
  1615. #ham SARE_RECV_IP_218078 confirmed (1)
  1616. #note SARE_RECV_IP_218078 ChinaNet, Shanghai Province
  1617. #counts SARE_RECV_IP_218078 34s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1618. #max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
  1619. #counts SARE_RECV_IP_218078 51s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1620. #counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1621. #counts SARE_RECV_IP_218078 136s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1622. #max SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1623. #counts SARE_RECV_IP_218078 53s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1624. #max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1625. #counts SARE_RECV_IP_218078 67s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1626. #counts SARE_RECV_IP_218078 58s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1627. header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/
  1628. describe SARE_RECV_IP_218088 Passed through possible spammer relay or source
  1629. score SARE_RECV_IP_218088 1.100
  1630. #ham SARE_RECV_IP_218088 confirmed: 1
  1631. #note SARE_RECV_IP_218088 CHINANET sichuan province network
  1632. #hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004
  1633. #counts SARE_RECV_IP_218088 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1634. #max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
  1635. #counts SARE_RECV_IP_218088 15s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1636. #counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1637. #max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
  1638. #counts SARE_RECV_IP_218088 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1639. #max SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
  1640. #counts SARE_RECV_IP_218088 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1641. #max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1642. #counts SARE_RECV_IP_218088 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1643. #counts SARE_RECV_IP_218088 25s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1644. header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/
  1645. describe SARE_RECV_IP_218216 Passed through possible spammer relay or source
  1646. score SARE_RECV_IP_218216 0.629
  1647. #ham SARE_RECV_IP_218216 confirmed (2)
  1648. #hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004
  1649. #counts SARE_RECV_IP_218216 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1650. #max SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
  1651. #counts SARE_RECV_IP_218216 31s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1652. #counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1653. #counts SARE_RECV_IP_218216 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1654. #max SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
  1655. #counts SARE_RECV_IP_218216 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1656. #max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1657. #counts SARE_RECV_IP_218216 121s/22h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1658. #counts SARE_RECV_IP_218216 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1659. header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/
  1660. describe SARE_RECV_IP_219128 Passed through possible spammer relay or source
  1661. score SARE_RECV_IP_219128 1.666
  1662. #hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004
  1663. #counts SARE_RECV_IP_219128 381s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  1664. #max SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1665. #counts SARE_RECV_IP_219128 114s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1666. #counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1667. #counts SARE_RECV_IP_219128 79s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1668. #max SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1669. #counts SARE_RECV_IP_219128 52s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1670. #counts SARE_RECV_IP_219128 36s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1671. #counts SARE_RECV_IP_219128 116s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1672. header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/
  1673. describe SARE_RECV_IP_220116 Passed through possible spammer relay or source
  1674. score SARE_RECV_IP_220116 1.666
  1675. #ham SARE_RECV_IP_220116 confirmed (1)
  1676. #hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004
  1677. #note SARE_RECV_IP_220116 Korea Telecom
  1678. #counts SARE_RECV_IP_220116 180s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  1679. #max SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
  1680. #counts SARE_RECV_IP_220116 192s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1681. #counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1682. #counts SARE_RECV_IP_220116 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1683. #max SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1684. #counts SARE_RECV_IP_220116 23s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1685. #max SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1686. #counts SARE_RECV_IP_220116 206s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1687. #counts SARE_RECV_IP_220116 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1688. header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/
  1689. describe SARE_RECV_IP_221124 Spam passed through possible spammer relay
  1690. score SARE_RECV_IP_221124 1.666
  1691. #hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004
  1692. #counts SARE_RECV_IP_221124 91s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1693. #max SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1694. #counts SARE_RECV_IP_221124 88s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1695. #counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1696. #max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
  1697. #counts SARE_RECV_IP_221124 4s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
  1698. #max SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
  1699. #counts SARE_RECV_IP_221124 15s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1700. #max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1701. #counts SARE_RECV_IP_221124 56s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1702. #counts SARE_RECV_IP_221124 119s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1703. header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/
  1704. describe SARE_RECV_IP_222000 Passed through possible spammer relay or source
  1705. score SARE_RECV_IP_222000 1.508
  1706. #ham SARE_RECV_IP_222000 confirmed (1)
  1707. #hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004
  1708. #counts SARE_RECV_IP_222000 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1709. #max SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
  1710. #counts SARE_RECV_IP_222000 80s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1711. #counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1712. #counts SARE_RECV_IP_222000 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
  1713. #counts SARE_RECV_IP_222000 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1714. #max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1715. #counts SARE_RECV_IP_222000 133s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1716. #counts SARE_RECV_IP_222000 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1717. header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/
  1718. describe SARE_RECV_IP_222064 Spam passed through possible spammer relay
  1719. score SARE_RECV_IP_222064 1.666
  1720. #ham SARE_RECV_IP_222064 verified (1)
  1721. #hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004
  1722. #counts SARE_RECV_IP_222064 115s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
  1723. #max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
  1724. #counts SARE_RECV_IP_222064 54s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1725. #counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1726. #max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
  1727. #counts SARE_RECV_IP_222064 189s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
  1728. #max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
  1729. #counts SARE_RECV_IP_222064 17s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1730. #max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1731. #counts SARE_RECV_IP_222064 352s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1732. #counts SARE_RECV_IP_222064 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1733. #####################################################################################
  1734. # SARE Reply-To Rules
  1735. ######## ###################### ##################################################
  1736. #####################################################################################
  1737. # SARE To/Cc Destination rules
  1738. ######## ###################### ##################################################
  1739. header SARE_TO_EMPTY To =~ /<>/
  1740. describe SARE_TO_EMPTY To address is set to empty
  1741. #core SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER
  1742. score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER
  1743. #hist SARE_TO_EMPTY Originally submitted by Bob Menschel
  1744. #overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128
  1745. #counts SARE_TO_EMPTY 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1746. #max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
  1747. #counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1748. #counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1749. #counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  1750. #max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
  1751. #counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05
  1752. #####################################################################################
  1753. # SARE X-Mailer Rules
  1754. ######## ###################### ##################################################
  1755. header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/
  1756. describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer
  1757. score SARE_XMAIL_PSSMAILER 1.111
  1758. #stype SARE_XMAIL_PSSMAILER spamp
  1759. #hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer
  1760. #counts SARE_XMAIL_PSSMAILER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1761. #max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
  1762. #counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
  1763. #counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
  1764. #counts SARE_XMAIL_PSSMAILER 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1765. #counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1766. header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/
  1767. describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers
  1768. score SARE_XMAIL_RLSP 0.740
  1769. #ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2)
  1770. #hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004
  1771. #counts SARE_XMAIL_RLSP 26s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
  1772. #max SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
  1773. #counts SARE_XMAIL_RLSP 52s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1774. #counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1775. #counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1776. #counts SARE_XMAIL_RLSP 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1777. #max SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1778. #counts SARE_XMAIL_RLSP 68s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1779. #counts SARE_XMAIL_RLSP 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1780. #####################################################################################
  1781. # SARE Miscellaneous and X-Header header rules
  1782. ######## ###################### ##################################################
  1783. header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/
  1784. score SARE_HEAD_DATE14 0.847
  1785. #counts SARE_HEAD_DATE14 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1786. #max SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1787. #counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
  1788. #counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  1789. #counts SARE_HEAD_DATE14 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1790. #max SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
  1791. #counts SARE_HEAD_DATE14 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1792. #counts SARE_HEAD_DATE14 2s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1793. header SARE_HEAD_DATE46 Date =~ /^.{46}$/
  1794. describe SARE_HEAD_DATE46 Date header suggests this is spam
  1795. score SARE_HEAD_DATE46 1.666
  1796. #ham SARE_HEAD_DATE46 Confirmed (1)
  1797. #counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1798. #counts SARE_HEAD_DATE46 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1799. #counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  1800. #counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  1801. #counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1802. #counts SARE_HEAD_DATE46 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1803. #counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1804. header __MIME_VERSION exists:MIME-Version
  1805. header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b'
  1806. meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION
  1807. describe SARE_HEAD_MIME_INVALID Invalid mime version
  1808. score SARE_HEAD_MIME_INVALID 1.116
  1809. #ham SARE_HEAD_MIME_INVALID confirmed
  1810. #hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2005, inspired by Alex Broens
  1811. #counts SARE_HEAD_MIME_INVALID 433s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1812. #counts SARE_HEAD_MIME_INVALID 7s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06
  1813. #counts SARE_HEAD_MIME_INVALID 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
  1814. #counts SARE_HEAD_MIME_INVALID 0s/5h of 15713 corpus (7767s/7946h FT) 05/14/06
  1815. #counts SARE_HEAD_MIME_INVALID 172s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
  1816. header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i
  1817. describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header
  1818. score SARE_HEAD_ORG_PREFIXW 0.617
  1819. #hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005
  1820. #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
  1821. #max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
  1822. #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
  1823. #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
  1824. #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1825. #max SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1826. #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1827. header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/
  1828. describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam
  1829. score SARE_HEAD_XLIB_INDY1 0.844
  1830. #hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy
  1831. #counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
  1832. #max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
  1833. #counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1834. #max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
  1835. #counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1836. #max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1837. #counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
  1838. #counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
  1839. header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/
  1840. describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam
  1841. score SARE_HEAD_XLIB_INDY2 1.272
  1842. #ham SARE_HEAD_XLIB_INDY2 verified (1)
  1843. #hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004
  1844. #counts SARE_HEAD_XLIB_INDY2 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1845. #max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05
  1846. #counts SARE_HEAD_XLIB_INDY2 91s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1847. #counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1848. #counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1849. #max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
  1850. #counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1851. #max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
  1852. #counts SARE_HEAD_XLIB_INDY2 30s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1853. #counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
  1854. header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i
  1855. describe SARE_HEAD_XUNSENT Found spamsign header
  1856. score SARE_HEAD_XUNSENT 1.666
  1857. #hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005
  1858. #counts SARE_HEAD_XUNSENT 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1859. #max SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
  1860. #counts SARE_HEAD_XUNSENT 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
  1861. #counts SARE_HEAD_XUNSENT 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1862. #max SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
  1863. #counts SARE_HEAD_XUNSENT 126s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1864. #counts SARE_HEAD_XUNSENT 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1865. #max SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
  1866. #counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05
  1867. #counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
  1868. #####################################################################################
  1869. # SARE Rules which examine multiple header types
  1870. ######## ###################### ##################################################
  1871. header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/
  1872. describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header
  1873. score SARE_HEAD_8BIT_DATE 1.666
  1874. #hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243
  1875. #ham SARE_HEAD_8BIT_DATE verified (1)
  1876. #counts SARE_HEAD_8BIT_DATE 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1877. #max SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1878. #counts SARE_HEAD_8BIT_DATE 116s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1879. #counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1880. #counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
  1881. #counts SARE_HEAD_8BIT_DATE 71s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1882. #counts SARE_HEAD_8BIT_DATE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1883. #counts SARE_HEAD_8BIT_DATE 65s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1884. header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i
  1885. describe SARE_MULT_VIA_CITIZNET header references apparent spam source
  1886. score SARE_MULT_VIA_CITIZNET 1.394
  1887. #ham SARE_MULT_VIA_CITIZNET confirmed (2)
  1888. #hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004
  1889. #counts SARE_MULT_VIA_CITIZNET 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
  1890. #max SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  1891. #counts SARE_MULT_VIA_CITIZNET 60s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
  1892. #counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
  1893. #max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
  1894. #counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
  1895. #max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
  1896. #counts SARE_MULT_VIA_CITIZNET 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
  1897. #counts SARE_MULT_VIA_CITIZNET 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
  1898. #counts SARE_MULT_VIA_CITIZNET 13s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
  1899. # EOF