1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047 |
- # SARE Header Abuse Ruleset for SpamAssassin -- file 1
- # Version: 01.03.21
- # Created: 2004-04-25
- # Modified: 2006-05-21
- # Usage instructions and documentation in 70_sare_header0.cf
- # Full Revision History / Change Log in 70_sare_header.log
- #@@# 01.03.20 May 20 2005
- #@@# Minor score updates based on additional mass-check
- #@@# Modified "rule has been moved" meta flags
- #@@# Archived from file 1 SARE_FROM_SPAM_DOMN0
- #@@# Archived from file 1 SARE_HEAD_HDR_ALTREC
- #@@# Archived from file 1 SARE_HEAD_HDR_XBBOUNC
- #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL2
- #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL4
- #@@# Archived from file 1 SARE_HEAD_HDR_XMEBDOM
- #@@# Archived from file 1 SARE_HEAD_HDR_XWTID
- #@@# Archived from file 1 SARE_HEAD_HDR_XWTVERS
- #@@# Archived from file 1 SARE_HEAD_ORIG_RECIP
- #@@# Archived from file 1 SARE_RECV_IP_195229
- #@@# Moved file 0 to file 1 SARE_FREE_WEBM_EsTerra
- #@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A
- #@@# Moved file 0 to file 1 SARE_HEAD_DATE46
- #@@# Moved file 0 to file 1 SARE_HEAD_HDR_XEMAIL
- #@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID
- #@@# Moved file 0 to file 1 SARE_RECV_IP_063106130
- #@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD
- #@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR
- #@@# Moved file 1 to file 0 SARE_RECV_IP_209190
- #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE
- #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE
- #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV
- #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF
- #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE
- #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI
- #@@# Moved file 1 to file 2 SARE_RECV_IP_062023
- #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157
- #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154
- #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152
- #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE
- #@@# Moved file 1 to file 2 SARE_XMAIL_GDI
- #@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L
- #@@# Moved file 1 to file 3 SARE_HEAD_XWORD
- #@@# Moved file 1 to file 3 SARE_RECV_IP_063106130
- #@@# Moved file 1 to file 3 SARE_RECV_IP_064034
- #@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL
- #@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL
- #@@# Moved from file 1 to 3 SARE_FROM_DVDCOPY
- #@@# Moved from file 1 to 3 SARE_RECV_FREESERVE
- #@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID
- #@@# Returned file 1 to file 0 SARE_RECV_IP_163125
- #@@# Returned file 2 to file 1 SARE_RECV_IP_142046
- #@@# 01.03.21 May 21 2005
- #@@# Minor repairs to "downgraded rule" metas.
- # License: Artistic - see http://www.rulesemporium.com/license.txt
- # Current Maintainer: Bob Menschel - RMSA@Menschel.net
- # Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf
- ######## ###################### ##################################################
- # Component rules used within meta rules
- ######## ###################### ##################################################
- header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
- ######## ###################### ##################################################
- # Meta rules used to prevent --lint errors after moving/changing rules
- ######## ###################### ##################################################
- meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
- meta SARE_FREE_WEBM_CZSEZNA __SARE_HEAD_FALSE
- meta SARE_FROM_MULTI_DASH __SARE_HEAD_FALSE
- meta SARE_HEAD_DATE18 __SARE_HEAD_FALSE
- meta SARE_MSGID_LONG40 __SARE_HEAD_FALSE
- meta SARE_MSGID_LONG55 __SARE_HEAD_FALSE
- meta SARE_MULT_VIA_FWCATS __SARE_HEAD_FALSE
- meta SARE_RECV_IP_064080 __SARE_HEAD_FALSE
- meta SARE_RECV_ISWEST __SARE_HEAD_FALSE
- meta SARE_FROM_AMERICA __SARE_HEAD_FALSE
- meta SARE_MSGID_06D6 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_212164 __SARE_HEAD_FALSE
- meta SARE_BOUNDARY_MULTB __SARE_HEAD_FALSE
- meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE
- meta SARE_FROM_PRINTER __SARE_HEAD_FALSE
- meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE
- meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE
- meta SARE_HELO_SERVER __SARE_HEAD_FALSE
- meta SARE_MSGID_LONG35 __SARE_HEAD_FALSE
- meta SARE_MSGID_LONG65 __SARE_HEAD_FALSE
- meta SARE_MSGID_LONG75 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE
- meta SARE_RECV_SUSP_3 __SARE_HEAD_FALSE
- meta SARE_XMAIL_XMAIL __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XEMGBMS __SARE_HEAD_FALSE
- meta SARE_HEAD_XCANIT1 __SARE_HEAD_FALSE
- meta SARE_HEAD_XCANIT2 __SARE_HEAD_FALSE
- meta SARE_MSGID_SPAM_DOMN0 __SARE_HEAD_FALSE
- meta SARE_MSGID_SUSP2 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_211049 __SARE_HEAD_FALSE
- meta SARE_RECV_RND_NUMBER __SARE_HEAD_FALSE
- meta SARE_FROM_NONAME __SARE_HEAD_FALSE
- meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE
- meta SARE_HEAD_XCOM_RFCMIN __SARE_HEAD_FALSE
- meta SARE_RECV_IP_080178 __SARE_HEAD_FALSE
- meta SARE_XMAIL_SUSP3 __SARE_HEAD_FALSE
- meta SARE_MSGID_DBL_AT __SARE_HEAD_FALSE
- meta SARE_FREE_WEBM_USACOPS __SARE_HEAD_FALSE
- meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_ALTREC __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XLEGAL2 __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XMEBDOM __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE
- meta SARE_HEAD_ORIG_RECIP __SARE_HEAD_FALSE
- meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE
- meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE
- meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE
- meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE
- meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE
- meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XLISTAD __SARE_HEAD_FALSE
- meta SARE_HEAD_MSMPR_RNDSTR __SARE_HEAD_FALSE
- meta SARE_RECV_IP_209190 __SARE_HEAD_FALSE
- meta SARE_HEAD_DATE_RNDDATE __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_MSGTYPE __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_X400RCV __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XCNDINF __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE
- meta SARE_HEAD_HDR_XSAFMMI __SARE_HEAD_FALSE
- meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_065205157 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_066248154 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE
- meta SARE_RECV_RND_DATE __SARE_HEAD_FALSE
- meta SARE_XMAIL_GDI __SARE_HEAD_FALSE
- meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE
- meta SARE_HEAD_XWORD __SARE_HEAD_FALSE
- meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
- meta SARE_RECV_IP_064034 __SARE_HEAD_FALSE
- meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE
- meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE
- meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE
- meta SARE_RECV_FREESERVE __SARE_HEAD_FALSE
- #####################################################################################
- # SARE Header-Exists rules
- ######## ###################### ##################################################
- header SARE_HEAD_HDR_APPROV exists:Approved
- describe SARE_HEAD_HDR_APPROV Message headers used which identify spam
- score SARE_HEAD_HDR_APPROV 0.166
- #hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed
- #counts SARE_HEAD_HDR_APPROV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
- #counts SARE_HEAD_HDR_APPROV 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- #counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_APPROV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_APPROV 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients
- describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam
- score SARE_HEAD_HDR_DISCREC 0.772
- #ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov
- #counts SARE_HEAD_HDR_DISCREC 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
- #counts SARE_HEAD_HDR_DISCREC 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- #counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_DISCREC 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_DISCREC 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_DISCREC 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_HEAD_HDR_XEMAIL exists:X-EMail
- describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam
- score SARE_HEAD_HDR_XEMAIL 1.666
- #ham SARE_HEAD_HDR_XEMAIL confirmed (several, one source)
- #counts SARE_HEAD_HDR_XEMAIL 221s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XEMAIL 78s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_XEMAIL 458s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_XEMAIL 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- header SARE_HEAD_HDR_XENC exists:X-ENC
- describe SARE_HEAD_HDR_XENC Message headers used which identify spam
- score SARE_HEAD_HDR_XENC 0.872
- #stype SARE_HEAD_HDR_XENC spamp
- #hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004
- #counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
- #max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
- #counts SARE_HEAD_HDR_XENC 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
- #counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_XENC 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header __HAS_RCVD exists:Received
- header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key
- meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD
- header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key
- describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers
- score SARE_HEAD_HDR_XIDKEY 1.666
- #ham SARE_HEAD_HDR_XIDKEY verified (4)
- #hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004
- #counts SARE_HEAD_HDR_XIDKEY 30s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XIDKEY 232s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_HEAD_HDR_XIDKEY 104s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_HEAD_HDR_XIDKEY 367s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_XIDKEY 859s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header __SARE_HEAD_HDR_XLEGAL exists:X-Legal
- header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i
- header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i
- header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i
- meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC
- describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam
- score SARE_HEAD_HDR_XLEGAL1 1.666
- #stype SARE_HEAD_HDR_XLEGAL1 spamgg
- #hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005
- #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_HEAD_HDR_XLEGAL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
- meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC
- describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam
- score SARE_HEAD_HDR_XLEGAL3 1.666
- #stype SARE_HEAD_HDR_XLEGAL3 spamgg
- #hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005
- #counts SARE_HEAD_HDR_XLEGAL3 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
- header SARE_HEAD_HDR_XMAILID exists:X-Mailid
- describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam
- score SARE_HEAD_HDR_XMAILID 1.666
- #ham SARE_HEAD_HDR_XMAILID confirmed
- #counts SARE_HEAD_HDR_XMAILID 248s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_HEAD_HDR_XMAILID 4s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- #counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_XMAILID 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_XMAILID 5s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server
- describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam
- score SARE_HEAD_HDR_XMLRSRV 0.555
- #ham SARE_HEAD_HDR_XMLRSRV verified (1)
- #counts SARE_HEAD_HDR_XMLRSRV 2s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_XMLRSRV 84s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HEAD_HDR_XRESPID exists:X-Response-ID
- describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam
- score SARE_HEAD_HDR_XRESPID 0.528
- #ham SARE_HEAD_HDR_XRESPID confirmed (1)
- #counts SARE_HEAD_HDR_XRESPID 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XRESPID 18s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
- #counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_HDR_XRESPID 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA
- describe SARE_HEAD_HDR_XSIDPRA fingerprint
- score SARE_HEAD_HDR_XSIDPRA 0.616
- #ham SARE_HEAD_HDR_XSIDPRA confirmed
- #hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005
- #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XSIDPRA 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_XSIDPRA 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result
- describe SARE_HEAD_HDR_XSIDRES fingerprint
- score SARE_HEAD_HDR_XSIDRES 0.616
- #ham SARE_HEAD_HDR_XSIDRES confirmed
- #hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005
- #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_HDR_XSIDRES 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_HDR_XSIDRES 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #####################################################################################
- # SARE Content-Type and Boundary rules
- ######## ###################### ##################################################
- header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/
- describe SARE_BOUNDARY_05 Content type boundary used in spam
- score SARE_BOUNDARY_05 1.666
- #stype SARE_BOUNDARY_05 vbggg
- #hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005
- #counts SARE_BOUNDARY_05 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
- #counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_BOUNDARY_05 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_BOUNDARY_05 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i
- describe SARE_BOUNDARY_06 Content type boundary used in spam
- score SARE_BOUNDARY_06 1.666
- #stype SARE_BOUNDARY_06 vbggg
- #hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004
- #hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005
- #counts SARE_BOUNDARY_06 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s
- describe SARE_BOUNDARY_08 Improbable MIME boundary format
- score SARE_BOUNDARY_08 1.666
- #hist SARE_BOUNDARY_08 LW_BOUNDARY1
- #ham SARE_BOUNDARY_08 ServiceMagic <customerservice@servicemagic.com>, 2001
- #ham SARE_BOUNDARY_08 verizon wireless picture phone transmission
- #counts SARE_BOUNDARY_08 613s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_BOUNDARY_08 38s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_BOUNDARY_08 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_BOUNDARY_08 826s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_BOUNDARY_08 243s/2h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/
- describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus
- score SARE_BOUNDARY_D10 0.444
- #ham SARE_BOUNDARY_D10 verified (1)
- #hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004
- #counts SARE_BOUNDARY_D10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_BOUNDARY_D10 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_BOUNDARY_D10 5s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/
- describe SARE_BOUNDARY_LC Content type boundary used in spam
- score SARE_BOUNDARY_LC 1.666
- #ham SARE_BOUNDARY_LC questionable newsletters
- #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004
- #ham SARE_BOUNDARY_LC "ffff": Game Rival <newsletter@gamerival.com>, ThePerfectGreeting <updates@perfectgreeting.com>
- #counts SARE_BOUNDARY_LC 0s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_BOUNDARY_LC 44s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_BOUNDARY_LC 0s/1h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_BOUNDARY_LC 15s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/
- describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses
- score SARE_BOUNDARY_NP2 4.000
- #stype SARE_BOUNDARY_NP2 vbg
- #hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004
- #hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004
- #counts SARE_BOUNDARY_NP2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
- #counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- #####################################################################################
- # SARE From Rules
- ######## ###################### ##################################################
- header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/
- describe SARE_FROM_AST Invalid character in email address
- score SARE_FROM_AST 0.666
- #hist SARE_FROM_AST Originally submitted by Fred Tarasevicius
- #hist SARE_FROM_AST Returned from file 2 to file 1 Oct 2005
- #counts SARE_FROM_AST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
- #counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i
- describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address
- score SARE_FROM_CAPS_MSN 0.828
- #ham SARE_FRMO_CAPS_MSN verified (3)
- #hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004
- #counts SARE_FROM_CAPS_MSN 18s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
- #counts SARE_FROM_CAPS_MSN 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FROM_CAPS_MSN 28s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FROM_CAPS_MSN 61s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_CAPS_MSN 28s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
-
- header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i
- describe SARE_FROM_DRUGS2 From a drug
- score SARE_FROM_DRUGS2 0.644
- #ham SARE_FROM_DRUGS2 verified (3)
- #hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma
- #counts SARE_FROM_DRUGS2 1s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FROM_DRUGS2 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #max SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
- #counts SARE_FROM_DRUGS2 20s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_FROM_DRUGS2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0
- header __SARE_FROM_NONAME From =~ /"" ?</
- meta SARE_FROM_NONAME __SARE_FROM_NONAME && !FROM_BLANK_NAME
- score SARE_FROM_NONAME 1.294
- #hist SARE_FROM_NONAME Created by Fred Tarasevicius
- #overlap SARE_FROM_NONAME SARE rule catches spam missed by SA rule. Use meta to avoid duplication
- #counts SARE_FROM_NONAME 256s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_NONAME 371s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FROM_NONAME 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FROM_NONAME 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FROM_NONAME 129s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_NONAME 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FROM_SPAM_DOMN0Y From =~ /\byahoo\.net/i
- describe SARE_FROM_SPAM_DOMN0Y From address suggests this is spam
- score SARE_FROM_SPAM_DOMN0Y 0.555
- #ham SARE_FROM_SPAM_DOMN0Y confirmed: 1 yahoo.net, perhaps a user's error
- #counts SARE_FROM_SPAM_DOMN0Y 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_SPAM_DOMN0Y 36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
- header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
- header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
- meta SARE_FROM_SPAM_MONEY __SARE_FROM_SPAM_MONY2
- describe SARE_FROM_SPAM_MONEY From address suggests this is spam
- score SARE_FROM_SPAM_MONEY 1.208
- #ham SARE_FROM_SPAM_MONEY confirmed (1)
- #addsto SARE_FROM_SPAM_MONEY SARE_FROM_SPAM_MONEY2
- #hist SARE_FROM_SPAM_MONEY RM_fw_Money. Meta created Aug 20 2004 to improve scoring.
- #counts SARE_FROM_SPAM_MONEY 257s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_SPAM_MONEY 249s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FROM_SPAM_MONEY 68s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FROM_SPAM_MONEY 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_FROM_SPAM_MONEY 14s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FROM_SPAM_MONEY 31s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_FROM_SPAM_MONEY 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FROM_SPAM_MONEY 33s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FROM_SPAM_MONEY 693s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_SPAM_MONEY 18s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
- header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
- header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
- meta SARE_FROM_SPAM_MONEY2 __SARE_FROM_SPAM_MONY1 && !__SARE_FROM_SPAM_MONY2
- describe SARE_FROM_SPAM_MONEY2 From address suggests this is spam
- score SARE_FROM_SPAM_MONEY2 0.890
- #ham SARE_FROM_SPAM_MONEY2 Valid end-users with "money" in their display name
- #counts SARE_FROM_SPAM_MONEY2 84s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_SPAM_MONEY2 290s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FROM_SPAM_MONEY2 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FROM_SPAM_MONEY2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FROM_SPAM_MONEY2 61s/3h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FROM_SPAM_MONEY2 62s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_FROM_SPAM_MONEY2 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FROM_SPAM_MONEY2 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FROM_SPAM_MONEY2 176s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_SPAM_MONEY2 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FROM_SPAM_NAME0 From =~ /(?:Direct Marketing|FreeOffers|FunBenefits|salestonight|WESTEC SALES|\bWSEAS\b)/i
- describe SARE_FROM_SPAM_NAME0 From address suggests this is spam
- score SARE_FROM_SPAM_NAME0 3.333
- #stype SARE_FROM_SPAM_NAME0 spamg
- #hist SARE_FROM_SPAM_NAME0 COMBINED.FROM and other sources
- #counts SARE_FROM_SPAM_NAME0 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #max SARE_FROM_SPAM_NAME0 369s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
- #counts SARE_FROM_SPAM_NAME0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FROM_SPAM_NAME0 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FROM_SPAM_NAME0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FROM_SPAM_NAME0 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_SPAM_NAME0 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FROM_SPAM_NAME2A From =~ /\bfunpage\b/i
- describe SARE_FROM_SPAM_NAME2A From address suggests this is spam
- score SARE_FROM_SPAM_NAME2A 0.111
- #stype SARE_FROM_SPAM_NAME2A spamp
- #hist SARE_FROM_SPAM_NAME2A COMBINED.FROM and other sources
- #counts SARE_FROM_SPAM_NAME2A 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_FROM_SPAM_NAME2A 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
- #counts SARE_FROM_SPAM_NAME2A 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
- header SARE_FROM_SPAM_PL1 From =~ /\@tpnet\.pl\b/
- describe SARE_FROM_SPAM_PL1 A lot of spam comes from here
- score SARE_FROM_SPAM_PL1 0.500
- #stype SARE_FRMO_SPAM_PL1 max:0.5 # possible valid ISP in Poland
- #hist SARE_FROM_SPAM_PL1 Loren Wilton, Feb 21 2005
- #counts SARE_FROM_SPAM_PL1 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_SPAM_PL1 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_FROM_SPAM_PL1 14s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FROM_SPAM_PL1 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_FROM_SPAM_PL1 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FROM_SPAM_PL1 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FROM_SPAM_PL1 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #max SARE_FROM_SPAM_PL1 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FROM_SPAM_PL1 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_SPAM_PL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FROM_SPAM_WORD2 From =~ /\b(?:^high.?speed|interacial)\b/i
- describe SARE_FROM_SPAM_WORD2 From address suggests this is spam
- score SARE_FROM_SPAM_WORD2 0.555
- #stype SARE_FRM_SPAM_WORD2 spamp
- #hist SARE_FROM_SPAM_WORD2 COMBINED.FROM and other sources
- #counts SARE_FROM_SPAM_WORD2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FROM_SPAM_WORD2 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FROM_SPAM_WORD2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FROM_SPAM_WORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FROM_SPAM_WORD2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FROM_SPAM_WORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- #####################################################################################
- # SARE From Rules -- Emails coming from free webmail accounts
- # Since spam from these can vary depending upon country of origin,
- # country of destination, policies, and enforcement of policies,
- # most of these are kept as separate rules rather than combined.
- ######## ###################### ##################################################
- header SARE_FREE_WEBM_BIGMAIL From =~ /\bbigmailbox\.com/i
- describe SARE_FREE_WEBM_BIGMAIL Sender used free email account - may be spammer
- score SARE_FREE_WEBM_BIGMAIL 0.667
- #counts SARE_FREE_WEBM_BIGMAIL 14s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_FREE_WEBM_BIGMAIL 2s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_BIGMAIL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_EsTerra From =~ /\bterra\.es/i
- describe SARE_FREE_WEBM_EsTerra Sender used free email account - may be spammer
- score SARE_FREE_WEBM_EsTerra 1.666
- #counts SARE_FREE_WEBM_EsTerra 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_EsTerra 228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
- #counts SARE_FREE_WEBM_EsTerra 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_EsTerra 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_EsTerra 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_EsTerra 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_EsTerra 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_EsTerra 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_EsTerra 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_EsTerra 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_FrVoila From =~ /\bvoila\.fr/i
- describe SARE_FREE_WEBM_FrVoila Sender used free email account - may be spammer
- score SARE_FREE_WEBM_FrVoila 0.444
- #ham SARE_FREE_WEBM_FrVoila confirmed: 1
- #counts SARE_FREE_WEBM_FrVoila 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_FrVoila 40s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_FREE_WEBM_FrVoila 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_FrVoila 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_FrVoila 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_FREE_WEBM_FrVoila 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_FrVoila 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FREE_WEBM_FrVoila 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_FrVoila 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_Jpop From =~ /\bjpopmail\.com/i
- describe SARE_FREE_WEBM_Jpop Sender used free email account - may be spammer
- score SARE_FREE_WEBM_Jpop 0.989
- #counts SARE_FREE_WEBM_Jpop 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_Jpop 66s/0h of 125163 corpus (104972s/20191h) 03/28/04
- #counts SARE_FREE_WEBM_Jpop 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_Jpop 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_Jpop 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_Jpop 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_Jpop 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #max SARE_FREE_WEBM_Jpop 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FREE_WEBM_Jpop 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_Jpop 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_MailD From =~ /mail\d{1,3}\.com/i
- describe SARE_FREE_WEBM_MailD Sender used free email account - may be spammer
- score SARE_FREE_WEBM_MailD 1.485
- #ham SARE_FREE_WEBM_MailD questionable
- #counts SARE_FREE_WEBM_MailD 124s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_MailD 2051s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_MailD 10s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_MailD 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_FREE_WEBM_MailD 27s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_MailD 31s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_MailD 75s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_FREE_WEBM_MailD 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FREE_WEBM_MailD 234s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_MailD 72s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_Mailexc From =~ /\bmailexcite\.com/i
- describe SARE_FREE_WEBM_Mailexc Sender used free email account - may be spammer
- score SARE_FREE_WEBM_Mailexc 0.889
- #ham SARE_FREE_WEMB_Mailexc verified (6)
- #counts SARE_FREE_WEBM_Mailexc 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_Mailexc 44s/0h of 125163 corpus (104972s/20191h) 03/28/04
- #counts SARE_FREE_WEBM_Mailexc 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_Mailexc 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_Mailexc 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_Mailexc 7s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_Mailexc 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_Mailexc 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_Mailexc 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_NETCITY From =~ /\@netcity\w+\.com/i
- describe SARE_FREE_WEBM_NETCITY Maybe spammer with free email
- score SARE_FREE_WEBM_NETCITY 1.111
- #stype SARE_FREE_WEBM_NETCITY spamp
- #hist SARE_FREE_WEBM_NETCITY Created by Bob Menschel Aug 20 2004
- #counts SARE_FREE_WEBM_NETCITY 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_NETCITY 12s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
- #counts SARE_FREE_WEBM_NETCITY 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_NETCITY 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_NETCITY 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_NETCITY 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_NETCITY 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_NETCITY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_NetFs From =~ /\bfsmail\.net/i
- describe SARE_FREE_WEBM_NetFs Sender used free email account - may be spammer
- score SARE_FREE_WEBM_NetFs 0.500
- #ham SARE_FREE_WEBM_NetFs confirmed (1)
- #counts SARE_FREE_WEBM_NetFs 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_NetFs 129s/0h of 125163 corpus (104972s/20191h) 03/28/04
- #counts SARE_FREE_WEBM_NetFs 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_NetFs 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FREE_WEBM_NetFs 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_NetFs 8s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_NetFs 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_NetFs 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_NetSafe From =~ /\bsafe-mail\.net/i
- describe SARE_FREE_WEBM_NetSafe Sender used free email account - may be spammer
- score SARE_FREE_WEBM_NetSafe 0.667
- #counts SARE_FREE_WEBM_NetSafe 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_NetSafe 28s/1h of 283497 corpus (129933s/153564h RM) 03/08/05
- #counts SARE_FREE_WEBM_NetSafe 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_NetSafe 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_FREE_WEBM_NetSafe 9s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FREE_WEBM_NetSafe 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_NetSafe 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_FREE_WEBM_NetSafe 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_NetSafe 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_NetSafe 16s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_NetSafe 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #max SARE_FREE_WEBM_NetSafe 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
- header SARE_FREE_WEBM_Netster From =~ /\bnetster\.com/i
- describe SARE_FREE_WEBM_Netster Sender used free email account - may be spammer
- score SARE_FREE_WEBM_Netster 0.222
- #ham SARE_FREE_WEBM_Netster confirmed (1)
- #counts SARE_FREE_WEBM_Netster 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_Netster 43s/0h of 125163 corpus (104972s/20191h) 03/28/04
- #counts SARE_FREE_WEBM_Netster 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #max SARE_FREE_WEBM_Netster 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FREE_WEBM_Netster 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_Netster 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_Netster 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_Netster 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_Netster 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_Netster 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_PlTenbi From =~ /\btenbit\.pl/i
- describe SARE_FREE_WEBM_PlTenbi Sender used free email account - may be spammer
- score SARE_FREE_WEBM_PlTenbi 1.083
- #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_PlTenbi 83s/0h of 115937 corpus (94614s/21323h) 04/29/04
- #counts SARE_FREE_WEBM_PlTenbi 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_FREE_WEBM_PlTenbi 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #max SARE_FREE_WEBM_PlTenbi 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_ZCom05 From =~ /\b(?:redwhitearmy|emailaccount)\.com/i
- describe SARE_FREE_WEBM_ZCom05 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom05 0.972
- #ham SARE_FREE_WEBM_ZCom05 confirmed (1)
- #counts SARE_FREE_WEBM_ZCom05 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom05 183s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom05 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #max SARE_FREE_WEBM_ZCom05 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_FREE_WEBM_ZCom05 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom05 54s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_FREE_WEBM_ZCom05 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_ZCom05 14s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_ZCom05 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom05 32s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_Whoever From =~ /\bWhoever\.com/i
- describe SARE_FREE_WEBM_Whoever Sender used free email account - may be spammer
- score SARE_FREE_WEBM_Whoever 0.711
- #counts SARE_FREE_WEBM_Whoever 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_Whoever 18s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
- #counts SARE_FREE_WEBM_Whoever 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_FREE_WEBM_Whoever 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_Whoever 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_FREE_WEBM_Whoever 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_Whoever 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FREE_WEBM_Whoever 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_WOWMAIL From =~ /\@wowmail\.com/i
- describe SARE_FREE_WEBM_WOWMAIL Sender used free email account - may be spammer
- score SARE_FREE_WEBM_WOWMAIL 0.789
- #hist SARE_FREE_WEBM_WOWMAIL Created by Bob Menschel June 16 2004
- #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #max SARE_FREE_WEBM_WOWMAIL 18s/0h of 92181 corpus (67808s/24373h RM) 07/18/04
- #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_WOWMAIL 7s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_FREE_WEBM_WOWMAIL 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_WOWMAIL 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom01 From =~ /\b(?:sify|superonline|coolgoose)\.com/i
- describe SARE_FREE_WEBM_ZCom01 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom01 0.630
- #ham SARE_FREE_WEBM_ZCom01 confirmed
- #counts SARE_FREE_WEBM_ZCom01 7s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom01 150s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom01 3s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_ZCom01 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_ZCom01 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom01 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_ZCom01 16s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FREE_WEBM_ZCom01 33s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_ZCom02 From =~ /\b(?:macmail|emailacc)\.com/i
- describe SARE_FREE_WEBM_ZCom02 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom02 0.900
- #ham SARE_FREE_WEBM_ZCom02 Confirmed: macmail.com(2)
- #counts SARE_FREE_WEBM_ZCom02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom02 122s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom02 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_ZCom02 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #max SARE_FREE_WEBM_ZCom02 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_FREE_WEBM_ZCom02 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom02 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_ZCom02 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_ZCom02 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_ZCom02 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom02 43s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom03 From =~ /\b(?:pakistanmail|prontomail)\.com/i
- describe SARE_FREE_WEBM_ZCom03 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom03 0.656
- #ham SARE_FREE_WEBM_ZCom03 valid email bounce messages
- #hist SARE_FREE_WEBM_ZCom03 Removed mail2world.com since it hit ham.
- #counts SARE_FREE_WEBM_ZCom03 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom03 139s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom03 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_ZCom03 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_FREE_WEBM_ZCom03 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom03 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_ZCom03 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_ZCom03 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_ZCom03 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom03 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom03B From =~ /\bmail2world\.com/i
- describe SARE_FREE_WEBM_ZCom03B Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom03B 0.917
- #ham SARE_FREE_WEBM_ZCom03B valid email bounce messages
- #counts SARE_FREE_WEBM_ZCom03B 12s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom03B 139s/14h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_ZCom03B 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom03B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_ZCom03B 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_ZCom03B 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_ZCom03B 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom03B 29s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom04 From =~ /\b(?:luxmail|olemail|sailormoon)\.com/i
- describe SARE_FREE_WEBM_ZCom04 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom04 0.778
- #counts SARE_FREE_WEBM_ZCom04 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom04 19s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
- #counts SARE_FREE_WEBM_ZCom04 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_FREE_WEBM_ZCom04 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_ZCom04 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom04 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_ZCom04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #max SARE_FREE_WEBM_ZCom04 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_ZCom04 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom06 From =~ /\b(?:clickitmail|deskpilot|killergreenmail|lancsmail|lovecat)\.com/i
- describe SARE_FREE_WEBM_ZCom06 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom06 0.711
- #ham SARE_FREE_WEBM_ZCom06 confirmed
- #counts SARE_FREE_WEBM_ZCom06 3s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom06 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom06 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_ZCom06 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_FREE_WEBM_ZCom06 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom06 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_ZCom06 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_FREE_WEBM_ZCom06 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom06 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_FREE_WEBM_ZCom07 From =~ /\b(?:bolt|amnestymail)\.com/i
- describe SARE_FREE_WEBM_ZCom07 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZCom07 0.856
- #counts SARE_FREE_WEBM_ZCom07 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZCom07 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_ZCom07 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_FREE_WEBM_ZCom07 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_ZCom07 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_FREE_WEBM_ZCom07 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_ZCom07 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_FREE_WEBM_ZCom07 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZCom07 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_FREE_WEBM_ZZa001 From =~ /\@702mail\.co\.za/i
- describe SARE_FREE_WEBM_ZZa001 Sender used free email account - may be spammer
- score SARE_FREE_WEBM_ZZa001 0.822
- #counts SARE_FREE_WEBM_ZZa001 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_ZZa001 38s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
- #counts SARE_FREE_WEBM_ZZa001 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
- #counts SARE_FREE_WEBM_ZZa001 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_FREE_WEBM_ZZa001 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_FREE_WEBM_ZZa001 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_FREE_WEBM_ZZa001 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_ZZa001 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- body __SARE_FREE_WEBM_SERV1 /Mail sent from WebMail service/i
- body __SARE_FREE_WEBM_SERV2 /spedita dal servizio WebMail/i
- body __SARE_FREE_WEBM_SERV3 /Mail enviado desde el servicio de WebMail/i
- body __SARE_FREE_WEBM_SERV4 /Mail inviata dal WebMail service/i
- body __SARE_FREE_WEBM_SERV5 /le module WebMail des service/i
- body __SARE_FREE_WEBM_SERV6 /Servizio WebMail offerto/i
- meta SARE_FREE_WEBM_SERV (__SARE_FREE_WEBM_SERV1 || __SARE_FREE_WEBM_SERV2 || __SARE_FREE_WEBM_SERV3 || __SARE_FREE_WEBM_SERV4 || __SARE_FREE_WEBM_SERV5 || __SARE_FREE_WEBM_SERV6)
- describe SARE_FREE_WEBM_SERV Sent from Webmail server
- score SARE_FREE_WEBM_SERV 0.698
- #ham SARE_FREE_WEBM_SERV confirmed (several)
- #hist SARE_FREE_WEBM_SERV Kevin Peuhkurinen, May 2005
- #counts SARE_FREE_WEBM_SERV 25s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_FREE_WEBM_SERV 1104s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_FREE_WEBM_SERV 28s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_FREE_WEBM_SERV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_FREE_WEBM_SERV 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_FREE_WEBM_SERV 48s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_FREE_WEBM_SERV 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_FREE_WEBM_SERV 10s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_FREE_WEBM_SERV 58s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_FREE_WEBM_SERV 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #####################################################################################
- # SARE Message-ID rules
- ######## ###################### ##################################################
- header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
- header __SARE_MSGID_D1D1D2D16 MESSAGEID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
- meta SARE_MSGID_D1D1D2D16 !__SARE_RECV_LOCALHOST && __SARE_MSGID_D1D1D2D16
- describe SARE_MSGID_D1D1D2D16 Message-ID has ratware pattern (9.9.99.9999999hex@
- score SARE_MSGID_D1D1D2D16 1.666
- #counts SARE_MSGID_D1D1D2D16 13s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_D1D1D2D16 590s/0h of 115439 corpus (94250s/21189h) 04/30/04
- #counts SARE_MSGID_D1D1D2D16 3s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_MSGID_D1D1D2D16 46s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_MSGID_D1D1D2D16 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_MSGID_D1D1D2D16 22s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_MSGID_D1D1D2D16 109s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MSGID_D1D1D2D16 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_MSGID_D5D7 MESSAGEID =~ /<\d{5}\.\d{7}\@/
- describe SARE_MSGID_D5D7 Message-ID has ratware pattern (99999.9999999@)
- score SARE_MSGID_D5D7 0.622
- #ham SARE_MSGID_D5D7 confirmed
- #counts SARE_MSGID_D5D7 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
- #max SARE_MSGID_D5D7 4s/1h of 114238 corpus (81067s/33171h RM) 01/15/05
- #counts SARE_MSGID_D5D7 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_MSGID_D5D7 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_MSGID_D5D7 25s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_MSGID_D5D7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_MSGID_D5D7 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
- header __SARE_MSGID_DDDASH MESSAGEID =~ /<\d\d?[\$-]/
- meta SARE_MSGID_DDDASH __SARE_MSGID_DDDASH && !__SARE_RECV_LOCALHOST
- describe SARE_MSGID_DDDASH Message-ID has ratware pattern (9-, 9$, 99-)
- score SARE_MSGID_DDDASH 1.666
- #counts SARE_MSGID_DDDASH 2420s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_DDDASH 3039s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_MSGID_DDDASH 3230s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_MSGID_DDDASH 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_MSGID_DDDASH 114s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
- #counts SARE_MSGID_DDDASH 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_MSGID_D5D7 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_MSGID_DDDASH 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_MSGID_DDDASH 13030s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MSGID_DDDASH 206s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_MSGID_LONG50 MESSAGEID =~ /[a-z0-9\$]{50}/
- describe SARE_MSGID_LONG50 Exceedingly long message id
- score SARE_MSGID_LONG50 0.619
- #ihst SARE_MSGID_LONG50 Created by Frederic Tarasevicius
- #counts SARE_MSGID_LONG50 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_LONG50 575s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_MSGID_LONG50 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_MSGID_LONG50 15s/5h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_MSGID_LONG50 38s/2h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_MSGID_LONG50 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #max SARE_MSGID_LONG50 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_MSGID_LONG50 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MSGID_LONG50 10s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_MSGID_QMAIL1 MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
- describe SARE_MSGID_QMAIL1 Contains spoofing message id
- score SARE_MSGID_QMAIL1 0.056
- #ham SARE_MSGID_QMAIL1 confirmed
- #hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004
- #counts SARE_MSGID_QMAIL1 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
- #counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_MSGID_QMAIL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i!
- describe SARE_MSGID_RATWARE2 Message-Id is <digits.digits@letters>
- score SARE_MSGID_RATWARE2 0.639
- #hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800
- #matches SARE_MSGID_RATWARE2 numbers.numbers@letters
- #counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04
- #counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/
- describe SARE_MSGID_SHORT Message ID is too short to be valid.
- score SARE_MSGID_SHORT 0.856
- #hist SARE_MSGID_SHORT RM_hm_ShortMsgid6
- #counts SARE_MSGID_SHORT 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
- #counts SARE_MSGID_SHORT 16s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_MSGID_SHORT 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_MSGID_SHORT 18s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_MSGID_SHORT 28s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #####################################################################################
- # SARE Received Header Rules
- ######## ###################### ##################################################
- header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/
- score SARE_HELO_EQ_DSL_3 1.022
- #ham SARE_HELO_EQ_DSL_3 confirmed (several)
- #hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005
- #counts SARE_HELO_EQ_DSL_3 232s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HELO_EQ_DSL_3 51s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_HELO_EQ_DSL_3 23s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_HELO_EQ_DSL_3 22s/2h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HELO_EQ_DSL_3 84s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HELO_EQ_DSL_3 117s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i
- score SARE_HELO_EQ_PPPOE 0.555
- #stype SARE_HELO_EQ_PPPOE spamp
- #hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005
- #counts SARE_HELO_EQ_PPPOE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HELO_EQ_PPPOE 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- #counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i
- describe SARE_HELO_YAHOO Received header has spamsign
- score SARE_HELO_YAHOO 0.828
- #ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552)
- #hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004
- #counts SARE_HELO_YAHOO 41s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_HELO_YAHOO 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/
- describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header
- score SARE_HEAD_8BIT_RECV 1.666
- #ham SARE_HEAD_8BIT_RECV verified (1)
- #hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243
- #counts SARE_HEAD_8BIT_RECV 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_8BIT_RECV 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
- #counts SARE_HEAD_8BIT_RECV 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_HEAD_8BIT_RECV 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_8BIT_RECV 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_FEP5 Received =~ /by fep5\./i
- describe SARE_RECV_FEP5 Message contains known spam format
- score SARE_RECV_FEP5 1.666
- #ham SARE_RECV_FEP5 verified (1)
- #counts SARE_RECV_FEP5 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
- #counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_RECV_FEP5 27s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_FEP5 208s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_FEP5 72s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/
- describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer
- score SARE_RECV_MDNETCOMBR 0.756
- #counts SARE_RECV_MDNETCOMBR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
- #counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i
- describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source
- score SARE_RECV_PATMEDIA 0.964
- #stype SARE_RECV_PATMEDIA spamp
- #hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004
- #counts SARE_RECV_PATMEDIA 10s/19h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_PATMEDIA 15s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_PATMEDIA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_PATMEDIA 93s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_PATMEDIA 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i
- header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i
- header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i
- meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
- meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
- describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header
- describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header
- describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header
- score SARE_RECV_PORTHELO_1 1.666
- #note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically.
- #note SARE_RECV_PORTHELO_1 We score them based on their "safety".
- #hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005
- #counts SARE_RECV_PORTHELO_1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_PORTHELO_1 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_RECV_PORTHELO_1 116s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_PORTHELO_1 0s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #max SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
- #counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05
- #counts SARE_RECV_PORTHELO_1 230s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- score SARE_RECV_PORTHELO_2 2.000
- #counts SARE_RECV_PORTHELO_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- score SARE_RECV_PORTHELO_3 2.222
- #counts SARE_RECV_PORTHELO_3 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_PORTHELO_3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i
- describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain
- score SARE_RECV_SKANOVA 0.660
- #ham SARE_RECV_SKANOVA verified (several)
- #hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004
- #counts SARE_RECV_SKANOVA 37s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SKANOVA 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_SKANOVA 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
- #counts SARE_RECV_SKANOVA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_RECV_SKANOVA 43s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SKANOVA 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/
- describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain
- score SARE_RECV_SPAM_DOMN02 1.666
- #ham SARE_RECV_SPAM_DOMN02 Confirmed (5)
- #counts SARE_RECV_SPAM_DOMN02 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_SPAM_DOMN02 168s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_RECV_SPAM_DOMN02 17s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_SPAM_DOMN02 60s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_SPAM_DOMN02 631s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPAM_DOMN02 194s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/
- describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain
- score SARE_RECV_SPAM_DOMN04 0.772
- #ham SARE_RECV_SPAM_DOMN04 verified (3)
- #counts SARE_RECV_SPAM_DOMN04 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_SPAM_DOMN04 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_RECV_SPAM_DOMN04 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_SPAM_DOMN04 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPAM_DOMN04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i
- describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source
- score SARE_RECV_SPAM_DOMN06 0.678
- #ham SARE_RECV_SPAM_DOMN06 verified (1)
- #hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004
- #counts SARE_RECV_SPAM_DOMN06 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SPAM_DOMN06 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_SPAM_DOMN06 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_SPAM_DOMN06 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_SPAM_DOMN06 27s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPAM_DOMN06 15s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/
- describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain
- score SARE_RECV_SPAM_DOMN0a 0.917
- #ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE
- #hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005
- #counts SARE_RECV_SPAM_DOMN0a 28s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
- #counts SARE_RECV_SPAM_DOMN0a 19s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_SPAM_DOMN0a 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_SPAM_DOMN0a 8s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
- describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
- score SARE_RECV_SPAM_DOMN0b 1.666
- #ham SARE_RECV_SPAM_DOMN0b confirmed (many)
- #counts SARE_RECV_SPAM_DOMN0b 1272s/39h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SPAM_DOMN0b 809s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_SPAM_DOMN0b 25s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_SPAM_DOMN0b 43s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_SPAM_DOMN0b 600s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPAM_DOMN0b 399s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/
- describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain
- score SARE_RECV_SPEEDY_AR 0.808
- #ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" <postmaster@hushport.com>, Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89])
- #counts SARE_RECV_SPEEDY_AR 60s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_SPEEDY_AR 10s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_SPEEDY_AR 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_SPEEDY_AR 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_SPEEDY_AR 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_SPEEDY_AR 51s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i
- describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source
- score SARE_RECV_UK2NET2 0.917
- #hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004
- #counts SARE_RECV_UK2NET2 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_RECV_UK2NET2 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_RECV_UK2NET2 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_RECV_UK2NET2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_UK2NET2 7s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/
- describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer
- score SARE_RECV_VIRTUACOMBR 1.193
- #ham SARE_RECV_VIRTUACOMBR confirmed (4)
- #hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr
- #counts SARE_RECV_VIRTUACOMBR 32s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_VIRTUACOMBR 36s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_VIRTUACOMBR 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_VIRTUACOMBR 25s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_VIRTUACOMBR 193s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_VIRTUACOMBR 63s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #####################################################################################
- # SARE Received Header IP Address Rules
- ######## ###################### ##################################################
- #eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/
- header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/
- header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/
- header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/
- header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/
- header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/
- header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/
- meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6
- describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer
- score SARE_RECV_BEZEQINT_B 0.763
- #ham SARE_RECV_BEZEQINT_B verified (4)
- #hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT
- #counts SARE_RECV_BEZEQINT_B 23s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_BEZEQINT_B 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_BEZEQINT_B 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_BEZEQINT_B 38s/2h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_BEZEQINT_B 20s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
- describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address
- score SARE_RECV_IP_FROMIP1 1.666
- #hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
- #ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank
- #counts SARE_RECV_IP_FROMIP1 598s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_FROMIP1 186s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_FROMIP1 18s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_RECV_IP_FROMIP1 81s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_FROMIP1 173s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_FROMIP1 730s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i
- describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address
- score SARE_RECV_IP_FROMIP3 0.711
- #match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500
- #ham SARE_RECV_IP_FROMIP3 Messages from a cell phone
- #hist SARE_RECV_IP_FROMIP3 From Fred <tech2@i-is.com>, Fri, 2 Apr 2004, RE_hrip_IPfromIPc
- #counts SARE_RECV_IP_FROMIP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_FROMIP3 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_RECV_IP_FROMIP3 1s/4h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_RECV_IP_FROMIP3 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_FROMIP3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_FROMIP3 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_061050 Spam passed through possible spammer relay
- score SARE_RECV_IP_061050 1.544
- #ham SARE_RECV_IP_061050 confirmed (2)
- #counts SARE_RECV_IP_061050 66s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_061050 62s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_061050 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_061050 7s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_061050 23s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_061050 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_061072 Passed through possible spammer relay or source
- score SARE_RECV_IP_061072 1.592
- #note SARE_RECV_IP_061072 Korea Telecom
- #hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004
- #ham SARE_RECV_IP_061072 verified (1)
- #counts SARE_RECV_IP_061072 42s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_061072 61s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_061072 11s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_061072 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_RECV_IP_061072 177s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_061072 33s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_061187 Passed through possible spammer relay or source
- score SARE_RECV_IP_061187 0.694
- #hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004
- #counts SARE_RECV_IP_061187 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05
- #counts SARE_RECV_IP_061187 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
- #counts SARE_RECV_IP_061187 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_061187 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_061187 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_061187 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_061190 Spam passed through possible spammer relay
- score SARE_RECV_IP_061190 1.111
- #stype SARE_RECV_IP_061190 spamp
- #hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004
- #counts SARE_RECV_IP_061190 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_061190 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_061190 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_IP_061190 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_061190 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_061190 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_061228 Spam passed through possible spammer relay
- score SARE_RECV_IP_061228 0.895
- #ham SARE_RECV_IP_061228 verified (1)
- #counts SARE_RECV_IP_061228 229s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_061228 140s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_061228 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_061228 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_061228 85s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_061228 80s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/
- describe SARE_RECV_IP_066017 Passed through possible spammer relay or source
- score SARE_RECV_IP_066017 0.637
- #ham SARE_RECV_IP_066017 confirmed (8)
- #note SARE_RECV_IP_066017 Yipes Communications Inc
- #hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004
- #counts SARE_RECV_IP_066017 16s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_066017 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_066017 61s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05
- #max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_066017 52s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/
- describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay
- score SARE_RECV_IP_066165224 1.278
- #ham SARE_RECV_IP_066165224 confirmed: 3
- #hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005
- #note SARE_RECV_IP_066165224 Cyber World Internet Services
- #counts SARE_RECV_IP_066165224 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
- #counts SARE_RECV_IP_066165224 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_066165224 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- #counts SARE_RECV_IP_066165224 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/
- describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay
- score SARE_RECV_IP_069050210 0.700
- #ham SARE_RECV_IP_069050210 confirmed (2)
- #hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005
- #counts SARE_RECV_IP_069050210 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_069050210 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_069050210 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #max SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
- #counts SARE_RECV_IP_069050210 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/
- describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay
- score SARE_RECV_IP_069060096 1.666
- #ham SARE_RECV_IP_069060096 verified (1)
- #hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005
- #counts SARE_RECV_IP_069060096 112s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_069060096 11s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_RECV_IP_069060096 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_069060096 409s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_069060096 166s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_RECV_IP_069060096 368s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/
- describe SARE_RECV_IP_082080 Spam passed through possible spammer relay
- score SARE_RECV_IP_082080 1.111
- #stype SARE_RECV_IP_082080 spamp
- #counts SARE_RECV_IP_082080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_082080 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_082080 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/
- describe SARE_RECV_IP_082102 Spam passed through possible spammer relay
- score SARE_RECV_IP_082102 0.555
- #stype SARE_RECV_IP_082102 spamp
- #hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004
- #counts SARE_RECV_IP_082102 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_082102 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_RECV_IP_082102 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_082102 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_082102 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_082154 Passed through possible spammer relay or source
- score SARE_RECV_IP_082154 1.666
- #ham SARE_RECV_IP_082154 confirmed (1)
- #hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004
- #counts SARE_RECV_IP_082154 256s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_082154 62s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_082154 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_082154 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_082154 231s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_082154 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_083028 Passed through possible spammer relay or source
- score SARE_RECV_IP_083028 1.666
- #ham SARE_RECV_IP_083028 verified (1)
- #hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004
- #note SARE_RECV_IP_083028 Large block of IP addresses in Poland
- #counts SARE_RECV_IP_083028 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_083028 157s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_083028 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- #counts SARE_RECV_IP_083028 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_083028 42s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_083028 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_140117 Passed through possible spammer relay or source
- score SARE_RECV_IP_140117 0.690
- #ham SARE_RECV_IP_140117 confirmed (1)
- #hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004
- #note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan
- #counts SARE_RECV_IP_140117 26s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_140117 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_140117 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_RECV_IP_140117 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_140117 22s/4h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_140117 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/
- describe SARE_RECV_IP_142046 Passed through possible spammer relay or source
- score SARE_RECV_IP_142046 0.555
- #stype SARE_RECV_IP_142046 spamp
- #hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info
- #counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
- #max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
- #counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_142046 5s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06
- #counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- #counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/
- describe SARE_RECV_IP_192116 Passed through possible spammer relay or source
- score SARE_RECV_IP_192116 0.861
- #note SARE_RECV_IP_192116 GILAT-SATCOM
- #hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004
- #counts SARE_RECV_IP_192116 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_RECV_IP_192116 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_200150 Spam passed through possible spammer relay
- score SARE_RECV_IP_200150 0.612
- #ham SARE_RECV_IP_200150 confirmed (2)
- #hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004
- #counts SARE_RECV_IP_200150 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_200150 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_200150 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_RECV_IP_200150 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_200150 14s/5h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_200150 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/
- describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay
- score SARE_RECV_IP_203210128 0.959
- #ham SARE_RECV_IP_203210128 verified (3)
- #hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005
- #note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT)
- #counts SARE_RECV_IP_203210128 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_203210128 43s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_203210128 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_203210128 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_203210128 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_203210128 116s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/
- describe SARE_RECV_IP_203177 Passed through possible spammer relay or source
- score SARE_RECV_IP_203177 0.772
- #hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004
- #ham SARE_RECV_IP_203177 verified (1)
- #counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_RECV_IP_203177 23s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_203177 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_203177 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_203177 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/
- describe SARE_RECV_IP_206131 Spam passed through possible spammer relay
- score SARE_RECV_IP_206131 1.666
- #ham SARE_RECV_IP_206131 confirmed (1)
- #hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info
- #note SARE_RECV_IP_206131 Minerva Network Systems, Inc.
- #counts SARE_RECV_IP_206131 54s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_206131 692s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
- #counts SARE_RECV_IP_206131 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_206131 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_206131 1699s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_206131 31s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
- describe SARE_RECV_IP_209051 Spam passed through possible spammer relay
- score SARE_RECV_IP_209051 1.111
- #stype SARE_RECV_IP_209051 spamp
- #hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005
- #note SARE_RECV_IP_209051 S-INFOTECH, Inc.
- #counts SARE_RECV_IP_209051 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_RECV_IP_209051 22s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_209051 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_RECV_IP_209051 1s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
- header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/
- describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay
- score SARE_RECV_IP_216118120 2.222
- #hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005
- #counts SARE_RECV_IP_216118120 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #counts SARE_RECV_IP_216118120 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
- header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_211216 Passed through possible spammer relay or source
- score SARE_RECV_IP_211216 0.978
- #stype SARE_RECV_IP_211216 max:1.000
- #ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator
- #hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004
- #note SARE_RECV_IP_211216 Korea Telecom
- #note SARE_RECV_IP_211216 Score kept low to avoid FPs for naver.com
- #counts SARE_RECV_IP_211216 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_211216 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_211216 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_211216 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_211216 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_211216 14s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/
- describe SARE_RECV_IP_212068 Spam passed through possible spammer relay
- score SARE_RECV_IP_212068 1.111
- #stype SARE_RECV_IP_212068 spamp
- #hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004
- #counts SARE_RECV_IP_212068 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_212068 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_RECV_IP_212068 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_212068 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_212068 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_216022 Spam passed through possible spammer relay
- score SARE_RECV_IP_216022 1.666
- #hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005
- #counts SARE_RECV_IP_216022 270s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_216022 196s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_216022 554s/6h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_216022 212s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_RECV_IP_216022 307s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_218070 Spam passed through possible spammer relay
- score SARE_RECV_IP_218070 1.111
- #stype SARE_RECV_IP_218070 spamp
- #counts SARE_RECV_IP_218070 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04
- #counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_218070 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_RECV_IP_218070 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_218070 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_218072 Spam passed through possible spammer relay
- score SARE_RECV_IP_218072 0.813
- #hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004
- #counts SARE_RECV_IP_218072 87s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_RECV_IP_218072 13s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_218072 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_218072 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_218072 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_218072 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_218078 Passed through possible spammer relay or source
- score SARE_RECV_IP_218078 1.666
- #hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004
- #ham SARE_RECV_IP_218078 confirmed (1)
- #note SARE_RECV_IP_218078 ChinaNet, Shanghai Province
- #counts SARE_RECV_IP_218078 34s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
- #counts SARE_RECV_IP_218078 51s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_218078 136s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_IP_218078 53s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_218078 67s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_218078 58s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_218088 Passed through possible spammer relay or source
- score SARE_RECV_IP_218088 1.100
- #ham SARE_RECV_IP_218088 confirmed: 1
- #note SARE_RECV_IP_218088 CHINANET sichuan province network
- #hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004
- #counts SARE_RECV_IP_218088 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
- #counts SARE_RECV_IP_218088 15s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
- #counts SARE_RECV_IP_218088 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_IP_218088 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_218088 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_218088 25s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_218216 Passed through possible spammer relay or source
- score SARE_RECV_IP_218216 0.629
- #ham SARE_RECV_IP_218216 confirmed (2)
- #hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004
- #counts SARE_RECV_IP_218216 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_218216 31s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_RECV_IP_218216 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
- #counts SARE_RECV_IP_218216 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_218216 121s/22h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_218216 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_219128 Passed through possible spammer relay or source
- score SARE_RECV_IP_219128 1.666
- #hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004
- #counts SARE_RECV_IP_219128 381s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_219128 114s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_219128 79s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_219128 52s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_RECV_IP_219128 36s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_219128 116s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_220116 Passed through possible spammer relay or source
- score SARE_RECV_IP_220116 1.666
- #ham SARE_RECV_IP_220116 confirmed (1)
- #hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004
- #note SARE_RECV_IP_220116 Korea Telecom
- #counts SARE_RECV_IP_220116 180s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_220116 192s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_220116 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #counts SARE_RECV_IP_220116 23s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_RECV_IP_220116 206s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_220116 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_221124 Spam passed through possible spammer relay
- score SARE_RECV_IP_221124 1.666
- #hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004
- #counts SARE_RECV_IP_221124 91s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_221124 88s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
- #counts SARE_RECV_IP_221124 4s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_IP_221124 15s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_221124 56s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_221124 119s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_222000 Passed through possible spammer relay or source
- score SARE_RECV_IP_222000 1.508
- #ham SARE_RECV_IP_222000 confirmed (1)
- #hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004
- #counts SARE_RECV_IP_222000 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_RECV_IP_222000 80s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_RECV_IP_222000 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
- #counts SARE_RECV_IP_222000 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_RECV_IP_222000 133s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_222000 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/
- describe SARE_RECV_IP_222064 Spam passed through possible spammer relay
- score SARE_RECV_IP_222064 1.666
- #ham SARE_RECV_IP_222064 verified (1)
- #hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004
- #counts SARE_RECV_IP_222064 115s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
- #counts SARE_RECV_IP_222064 54s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
- #counts SARE_RECV_IP_222064 189s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
- #max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
- #counts SARE_RECV_IP_222064 17s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_RECV_IP_222064 352s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_RECV_IP_222064 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #####################################################################################
- # SARE Reply-To Rules
- ######## ###################### ##################################################
- #####################################################################################
- # SARE To/Cc Destination rules
- ######## ###################### ##################################################
- header SARE_TO_EMPTY To =~ /<>/
- describe SARE_TO_EMPTY To address is set to empty
- #core SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER
- score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER
- #hist SARE_TO_EMPTY Originally submitted by Bob Menschel
- #overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128
- #counts SARE_TO_EMPTY 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
- #counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
- #max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05
- #####################################################################################
- # SARE X-Mailer Rules
- ######## ###################### ##################################################
- header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/
- describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer
- score SARE_XMAIL_PSSMAILER 1.111
- #stype SARE_XMAIL_PSSMAILER spamp
- #hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer
- #counts SARE_XMAIL_PSSMAILER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
- #counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
- #counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
- #counts SARE_XMAIL_PSSMAILER 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/
- describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers
- score SARE_XMAIL_RLSP 0.740
- #ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2)
- #hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004
- #counts SARE_XMAIL_RLSP 26s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_XMAIL_RLSP 52s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #counts SARE_XMAIL_RLSP 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_XMAIL_RLSP 68s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_XMAIL_RLSP 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #####################################################################################
- # SARE Miscellaneous and X-Header header rules
- ######## ###################### ##################################################
- header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/
- score SARE_HEAD_DATE14 0.847
- #counts SARE_HEAD_DATE14 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
- #counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- #counts SARE_HEAD_DATE14 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_DATE14 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_DATE14 2s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- header SARE_HEAD_DATE46 Date =~ /^.{46}$/
- describe SARE_HEAD_DATE46 Date header suggests this is spam
- score SARE_HEAD_DATE46 1.666
- #ham SARE_HEAD_DATE46 Confirmed (1)
- #counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_DATE46 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- #counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_DATE46 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header __MIME_VERSION exists:MIME-Version
- header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b'
- meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION
- describe SARE_HEAD_MIME_INVALID Invalid mime version
- score SARE_HEAD_MIME_INVALID 1.116
- #ham SARE_HEAD_MIME_INVALID confirmed
- #hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2005, inspired by Alex Broens
- #counts SARE_HEAD_MIME_INVALID 433s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #counts SARE_HEAD_MIME_INVALID 7s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06
- #counts SARE_HEAD_MIME_INVALID 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
- #counts SARE_HEAD_MIME_INVALID 0s/5h of 15713 corpus (7767s/7946h FT) 05/14/06
- #counts SARE_HEAD_MIME_INVALID 172s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
- header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i
- describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header
- score SARE_HEAD_ORG_PREFIXW 0.617
- #hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005
- #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
- #max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
- #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
- #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
- #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/
- describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam
- score SARE_HEAD_XLIB_INDY1 0.844
- #hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy
- #counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
- #max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
- #counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
- #counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
- #counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
- header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/
- describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam
- score SARE_HEAD_XLIB_INDY2 1.272
- #ham SARE_HEAD_XLIB_INDY2 verified (1)
- #hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004
- #counts SARE_HEAD_XLIB_INDY2 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05
- #counts SARE_HEAD_XLIB_INDY2 91s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
- #counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
- #counts SARE_HEAD_XLIB_INDY2 30s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
- header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i
- describe SARE_HEAD_XUNSENT Found spamsign header
- score SARE_HEAD_XUNSENT 1.666
- #hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005
- #counts SARE_HEAD_XUNSENT 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_XUNSENT 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
- #counts SARE_HEAD_XUNSENT 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #max SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
- #counts SARE_HEAD_XUNSENT 126s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_HEAD_XUNSENT 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #max SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
- #counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05
- #counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
- #####################################################################################
- # SARE Rules which examine multiple header types
- ######## ###################### ##################################################
- header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/
- describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header
- score SARE_HEAD_8BIT_DATE 1.666
- #hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243
- #ham SARE_HEAD_8BIT_DATE verified (1)
- #counts SARE_HEAD_8BIT_DATE 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_HEAD_8BIT_DATE 116s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
- #counts SARE_HEAD_8BIT_DATE 71s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- #counts SARE_HEAD_8BIT_DATE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_HEAD_8BIT_DATE 65s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i
- describe SARE_MULT_VIA_CITIZNET header references apparent spam source
- score SARE_MULT_VIA_CITIZNET 1.394
- #ham SARE_MULT_VIA_CITIZNET confirmed (2)
- #hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004
- #counts SARE_MULT_VIA_CITIZNET 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
- #max SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
- #counts SARE_MULT_VIA_CITIZNET 60s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
- #counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
- #max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
- #counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
- #max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
- #counts SARE_MULT_VIA_CITIZNET 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
- #counts SARE_MULT_VIA_CITIZNET 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
- #counts SARE_MULT_VIA_CITIZNET 13s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
- # EOF
|