70_sare_html0.cf 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385
  1. # SARE HTML Ruleset for SpamAssassin - ruleset 0
  2. # Version: 01.03.10
  3. # Created: 2004-03-31
  4. # Modified: 2006-06-03
  5. # Usage instructions, documentation, and change history in 70_sare_html0.cf
  6. #@@# Revision History: Full Revision History stored in 70_sare_html.log
  7. #@@# 01.03.09: May 31 2006
  8. #@@# Minor score tweaks based on recent mass-checks
  9. #@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU
  10. #@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL
  11. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1
  12. #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2
  13. #@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3
  14. #@@# Moved file 0 to file 2: SARE_HTML_POB1200
  15. #@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD
  16. #@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN
  17. #@@# Moved file 0 to file 2: SARE_HTML_URI_OFF
  18. #@@# Moved file 0 to file 2: SARE_HTML_USL_B7
  19. #@@# Moved file 0 to file 2: SARE_HTML_USL_B9
  20. #@@# Moved file 0 to file 2: SARE_PHISH_HTML_01
  21. #@@# Added file 0: SARE_HTML_FLOAT1
  22. #@@# 01.03.10: June 3 2006
  23. #@@# Minor score tweaks based on recent mass-checks
  24. #@@# Added file 0 SARE_HTML_LINKWARN
  25. #@@# Added file 0 SARE_HTML_SPANNER
  26. # License: Artistic - see http://www.rulesemporium.com/license.txt
  27. # Current Maintainer: Bob Menschel - RMSA@Menschel.net
  28. # Current Home: http://www.rulesemporium.com/rules/70_sare_html0.cf
  29. #
  30. # Usage: This family of files, 70_sare_html*.cf, contain rules that test HTML strings within emails
  31. # (except URIs, which are handled in the 70_sare_uri*.cf family of files).
  32. #
  33. # File 0: 70_sare_html0.cf -- These are html rules that hit at least 10 spam and no ham.
  34. # While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
  35. # This is a rules file we expect any/all email systems using SpamAssassin to benefit from.
  36. #
  37. # File 1: 70_sare_html1.cf -- These are html rules that meet one of the follow criteria:
  38. # a) Rules that do, or in the past have hit ham during SARE mass-check tests
  39. # b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run.
  40. # If the rules hit ham, they hit at last 10 spam to each 1 ham.
  41. # If the rules hit ham, they hit fewer than 100 ham
  42. # With few exceptions these rules score significantly less than the rules in file 0.
  43. # Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset,
  44. # pick and choose among its rules, or lower their scores.
  45. # Systems that use this file 1 should ALSO use file 0.
  46. #
  47. # File 2: 70_sare_html2.cf -- These html rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
  48. # These are primarily rules that test for specific html seen only in spam, or similar types of "pretty darn sure" rules.
  49. # Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead,
  50. # but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
  51. #
  52. # File 3: 70_sare_html3.cf -- These are html rules that hit a significant amount of ham during SARE mass-check tests.
  53. # Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
  54. #
  55. # File 4: 70_sare_html4.cf -- These are html rules that meet one of the following criteria:
  56. # a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems.
  57. # b) They hit no emails at this time, but have been recommended by anti-spam sources.
  58. # Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
  59. #
  60. # eng: 70_sare_html_eng.cf -- These are html rules which work well within the English language, but are liable to cause false
  61. # positives in other languages. They include rules which test for letter combinations. Systems that
  62. # receive ham in languages other than English should NOT use this file.
  63. #
  64. # x30: 70_sare_html_x30.cf -- These are html rules which have been incorporated into SpamAssassin 3.0.x,
  65. # or which duplicate or greatly overlap 3.0.x rules.
  66. # Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
  67. #
  68. # arc: 70_sare_html_arc.cf -- These are html rules that once were published in other files, but which have since lost all value.
  69. # They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam.
  70. # SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but
  71. # we expect that nobody will be running these rules in any production system.
  72. #
  73. ######## ###################### ##################################################
  74. ######## ###################### ##################################################
  75. # Rules renamed or moved
  76. ######## ###################### ##################################################
  77. meta SARE_HTML_ALT_WAIT2 __SARE_HEAD_FALSE
  78. meta SARE_HTML_BADOPEN __SARE_HEAD_FALSE
  79. meta SARE_HTML_BAD_FG_CLR __SARE_HEAD_FALSE
  80. meta SARE_HTML_COLOR_B __SARE_HEAD_FALSE
  81. meta SARE_HTML_COLOR_NWHT3 __SARE_HEAD_FALSE
  82. meta SARE_HTML_FONT_INVIS2 __SARE_HEAD_FALSE
  83. meta SARE_HTML_FSIZE_1ALL __SARE_HEAD_FALSE
  84. meta SARE_HTML_GIF_DIM __SARE_HEAD_FALSE
  85. meta SARE_HTML_HTML_AFTER __SARE_HEAD_FALSE
  86. meta SARE_HTML_HTML_DBL __SARE_HEAD_FALSE
  87. meta SARE_HTML_HTML_TBL __SARE_HEAD_FALSE
  88. meta SARE_HTML_IMG_ONLY __SARE_HEAD_FALSE
  89. meta SARE_HTML_JVS_HREF __SARE_HEAD_FALSE
  90. meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
  91. meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
  92. meta SARE_HTML_NO_BODY __SARE_HEAD_FALSE
  93. meta SARE_HTML_NO_HTML1 __SARE_HEAD_FALSE
  94. meta SARE_HTML_P_JUSTIFY __SARE_HEAD_FALSE
  95. meta SARE_HTML_TITLE_SEX __SARE_HEAD_FALSE
  96. meta SARE_HTML_URI_2SLASH __SARE_HEAD_FALSE
  97. meta SARE_HTML_URI_AXEL __SARE_HEAD_FALSE
  98. meta SARE_HTML_URI_BADQRY __SARE_HEAD_FALSE
  99. meta SARE_HTML_URI_FORMPHP __SARE_HEAD_FALSE
  100. meta SARE_HTML_URI_HREF __SARE_HEAD_FALSE
  101. meta SARE_HTML_URI_MANYP2 __SARE_HEAD_FALSE
  102. meta SARE_HTML_URI_MANYP3 __SARE_HEAD_FALSE
  103. meta SARE_HTML_URI_NUMPHP3 __SARE_HEAD_FALSE
  104. meta SARE_HTML_URI_OBFU4 __SARE_HEAD_FALSE
  105. meta SARE_HTML_URI_OBFU4a __SARE_HEAD_FALSE
  106. meta SARE_HTML_URI_PARTID __SARE_HEAD_FALSE
  107. meta SARE_HTML_URI_RID __SARE_HEAD_FALSE
  108. meta SARE_HTML_USL_MULT __SARE_HEAD_FALSE
  109. meta SARE_HTML_FONT_EBEF __SARE_HEAD_FALSE
  110. meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
  111. meta SARE_HTML_INV_TAGA __SARE_HEAD_FALSE
  112. meta SARE_HTML_EHTML_OBFU __SARE_HEAD_FALSE
  113. meta SARE_HTML_HEAD_AFFIL __SARE_HEAD_FALSE
  114. meta SARE_HTML_LEAKTHRU1 __SARE_HEAD_FALSE
  115. meta SARE_HTML_LEAKTHRU2 __SARE_HEAD_FALSE
  116. meta SARE_HTML_ONE_LINE3 __SARE_HEAD_FALSE
  117. meta SARE_HTML_POB1200 __SARE_HEAD_FALSE
  118. meta SARE_HTML_URI_HIDADD __SARE_HEAD_FALSE
  119. meta SARE_HTML_URI_LOGOGEN __SARE_HEAD_FALSE
  120. meta SARE_HTML_URI_OFF __SARE_HEAD_FALSE
  121. meta SARE_HTML_USL_B7 __SARE_HEAD_FALSE
  122. meta SARE_HTML_USL_B9 __SARE_HEAD_FALSE
  123. meta SARE_PHISH_HTML_01 __SARE_HEAD_FALSE
  124. ######## ###################### ##################################################
  125. rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
  126. rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
  127. rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
  128. rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
  129. rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
  130. rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
  131. rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
  132. rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
  133. rawbody __SARE_HTML_HBODY m'<html><body>'i
  134. rawbody __SARE_HTML_BEHTML m'<body></html>'i
  135. rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
  136. rawbody __SARE_HTML_EFONT m'^</font>'i
  137. rawbody __SARE_HTML_EHEB m'^</html></body>'i
  138. rawbody __SARE_HTML_CMT_CNTR /<center><!--/
  139. # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
  140. rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  141. rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  142. rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  143. rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  144. rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
  145. rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
  146. rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
  147. rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
  148. rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
  149. rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
  150. ######## ###################### ##################################################
  151. # <HTML> and <BODY> tag spamsign
  152. ######## ###################### ##################################################
  153. ######## ###################### ##################################################
  154. # <A> and HREF rules
  155. ######## ###################### ##################################################
  156. rawbody SARE_HTML_A_INV /href\w*href/i
  157. describe SARE_HTML_A_INV HTML has malformed anchor/href tag
  158. score SARE_HTML_A_INV 3.333
  159. #stype SARE_HTML_A_INV spamg
  160. #wasalso SARE_HTML_A_INV /href[a-z]*href/i
  161. #wasalso SARE_HTML_A_INV Fred's FR_FUNNY_HREF
  162. #wasalso SARE_HTML_A_INV /\w\whref=http:/i from David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
  163. #counts SARE_HTML_A_INV 8s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  164. #max SARE_HTML_A_INV 628s/0h of 66351 corpus (40971s/25380h RM) 08/21/04
  165. #counts SARE_HTML_A_INV 7s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  166. #counts SARE_HTML_A_INV 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  167. #counts SARE_HTML_A_INV 4s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  168. #max SARE_HTML_A_INV 23s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  169. #counts SARE_HTML_A_INV 2s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  170. #counts SARE_HTML_A_INV 8s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  171. #max SARE_HTML_A_INV 101s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  172. #counts SARE_HTML_A_INV 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  173. #counts SARE_HTML_A_INV 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  174. #max SARE_HTML_A_INV 2s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  175. rawbody SARE_HTML_LINKWARN /\bShowLinkWarning\b/
  176. score SARE_HTML_LINKWARN 1.133
  177. describe SARE_HTML_LINKWARN Possible spam sign in HTML
  178. #hist SARE_HTML_LINKWARN Loren Wilton, April 2006
  179. #counts SARE_HTML_LINKWARN 126s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  180. #counts SARE_HTML_LINKWARN 5s/0h of 55981 corpus (51658s/4323h AxB2) 05/15/06
  181. #counts SARE_HTML_LINKWARN 17s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
  182. #counts SARE_HTML_LINKWARN 60s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
  183. #counts SARE_HTML_LINKWARN 168s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
  184. #counts SARE_HTML_LINKWARN 12s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
  185. #counts SARE_HTML_LINKWARN 26s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
  186. ######## ###################### ##################################################
  187. # Spamsign character sets and fonts
  188. ######## ###################### ##################################################
  189. rawbody SARE_HTML_FONT_LWORD m'^<font style=font-size:1px>[a-z]{30,}\.</font><br>'i
  190. describe SARE_HTML_FONT_LWORD unusual document format
  191. score SARE_HTML_FONT_LWORD 1.666
  192. #hist SARE_HTML_FONT_LWORD Loren Wilton: LW_SPAMFERSURE
  193. #counts SARE_HTML_FONT_LWORD 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  194. #max SARE_HTML_FONT_LWORD 194s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
  195. #counts SARE_HTML_FONT_LWORD 2s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  196. #counts SARE_HTML_FONT_LWORD 81s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  197. #counts SARE_HTML_FONT_LWORD 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  198. #counts SARE_HTML_FONT_LWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  199. #max SARE_HTML_FONT_LWORD 2s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  200. full SARE_HTML_FONT_SPLIT /<font color=\n\n"?\#[a-f]\w[a-f]\w[a-f]\w"?>/i
  201. describe SARE_HTML_FONT_SPLIT HTML bright font color tag split by blank lines
  202. score SARE_HTML_FONT_SPLIT 1.666
  203. #hist SARE_HTML_FONT_SPLIT David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
  204. #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
  205. #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_FONT_SPL for obvious reasons, but not enough to warrant dropping one.
  206. #counts SARE_HTML_FONT_SPLIT 5s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  207. #max SARE_HTML_FONT_SPLIT 431s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
  208. #counts SARE_HTML_FONT_SPLIT 5s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  209. #counts SARE_HTML_FONT_SPLIT 1s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  210. #max SARE_HTML_FONT_SPLIT 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
  211. #counts SARE_HTML_FONT_SPLIT 31s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  212. #counts SARE_HTML_FONT_SPLIT 6s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  213. #max SARE_HTML_FONT_SPLIT 65s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
  214. #counts SARE_HTML_FONT_SPLIT 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  215. #counts SARE_HTML_FONT_SPLIT 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
  216. ######## ###################### ##################################################
  217. # <TITLE> Tag Tests
  218. ######## ###################### ##################################################
  219. ######## ###################### ##################################################
  220. # Obviously invalid html tag
  221. ######## ###################### ##################################################
  222. ######## ###################### ##################################################
  223. # Invalid or Suspicious URI Tests
  224. ######## ###################### ##################################################
  225. ######## ###################### ##################################################
  226. # <!-- Comment tag tests
  227. ######## ###################### ##################################################
  228. ######## ###################### ##################################################
  229. # Image tag tests
  230. ######## ###################### ##################################################
  231. rawbody SARE_HTML_IMG_CID2 /\"cid:(?:[A-Z]{8}\.){3}[A-Z]{8}_csseditor\"/ # no /i
  232. describe SARE_HTML_IMG_CID2 table spam image
  233. score SARE_HTML_IMG_CID2 2.222
  234. #hist SARE_HTML_IMG_CID2 Loren Wilton, May 2005
  235. #counts SARE_HTML_IMG_CID2 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  236. #max SARE_HTML_IMG_CID2 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  237. #counts SARE_HTML_IMG_CID2 66s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  238. #max SARE_HTML_IMG_CID2 114s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
  239. #counts SARE_HTML_IMG_CID2 63s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  240. #counts SARE_HTML_IMG_CID2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
  241. #counts SARE_HTML_IMG_CID2 45s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  242. #counts SARE_HTML_IMG_CID2 8s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  243. #counts SARE_HTML_IMG_CID2 4s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  244. #max SARE_HTML_IMG_CID2 37s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
  245. ######## ###################### ##################################################
  246. # Javascript and object tests
  247. ######## ###################### ##################################################
  248. ######## ###################### ##################################################
  249. # Header tags
  250. ######## ###################### ##################################################
  251. ######## ###################### ##################################################
  252. # Paragraphs, breaks, and spacings
  253. ######## ###################### ##################################################
  254. rawbody __SARE_HTML_FLOAT1A /^\s*(?:=(?:3[Dd])?\s*\"\s*)?float\s*(?:\:\s*)?$/i
  255. rawbody __SARE_HTML_FLOAT1B /^(?:\s*|=(?:3D)?")?float:?\s*$/i
  256. meta SARE_HTML_FLOAT1 __SARE_HTML_FLOAT1A || __SARE_HTML_FLOAT1B
  257. describe SARE_HTML_FLOAT1 Contains HTML formatting used in spam
  258. score SARE_HTML_FLOAT1 2.666
  259. #counts SARE_HTML_FLOAT1 574s/0h of 192466 corpus (93270s/99196h RM) 05/31/06
  260. #counts SARE_HTML_FLOAT1 21s/0h of 26358 corpus (22027s/4331h AxB2) 06/01/06
  261. #counts SARE_HTML_FLOAT1 125s/0h of 13285 corpus (7412s/5873h CT) 05/31/06
  262. #counts SARE_HTML_FLOAT1 1645s/0h of 162350 corpus (110752s/51598h DOC) 05/31/06
  263. #counts SARE_HTML_FLOAT1 40s/0h of 15726 corpus (7781s/7945h FT) 05/31/06
  264. #counts SARE_HTML_FLOAT1 3054s/0h of 119967 corpus (84310s/35657h ML) 05/31/06
  265. #counts SARE_HTML_FLOAT1 17s/0h of 22937 corpus (17232s/5705h MY) 05/31/06
  266. rawbody SARE_HTML_ORIG_MSG /^-----original message-----<br>$/
  267. describe SARE_HTML_ORIG_MSG Fake replied message?
  268. score SARE_HTML_ORIG_MSG 1.666
  269. #hist SARE_HTML_ORIG_MSG Tim Jackson, May 12, 2005
  270. #counts SARE_HTML_ORIG_MSG 65s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  271. #counts SARE_HTML_ORIG_MSG 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  272. #max SARE_HTML_ORIG_MSG 12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
  273. #counts SARE_HTML_ORIG_MSG 14s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
  274. #counts SARE_HTML_ORIG_MSG 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  275. #counts SARE_HTML_ORIG_MSG 22s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
  276. #counts SARE_HTML_ORIG_MSG 119s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  277. #counts SARE_HTML_ORIG_MSG 10s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  278. #max SARE_HTML_ORIG_MSG 154s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
  279. rawbody SARE_HTML_SPANNER /> [a-z] <\/span>[a-z]<span/i
  280. describe SARE_HTML_SPANNER spammer is a SARE_HTML_SPANNER
  281. score SARE_HTML_SPANNER 2.222
  282. #hist SARE_HTML_SPANNER variation apparently scheduled for SA distribution in 3.2
  283. #hist SARE_HTML_SPANNER Robert Brooks, March 2006
  284. #counts SARE_HTML_SPANNER 1849s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  285. #counts SARE_HTML_SPANNER 7s/0h of 9982 corpus (5652s/4330h AxB) 05/14/06
  286. #counts SARE_HTML_SPANNER 108s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
  287. #counts SARE_HTML_SPANNER 959s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
  288. #counts SARE_HTML_SPANNER 31s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
  289. #counts SARE_HTML_SPANNER 3027s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
  290. #counts SARE_HTML_SPANNER 9s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
  291. ######## ###################### ##################################################
  292. # Suspicious tag combinations
  293. ######## ###################### ##################################################
  294. full SARE_HTML_CALL_ME m'\nPhone:\s+\d{3}-[\d\-<BR>]+\nMobile:\s+\d{3}-[\d\-<BR>]+\nEmail:\s+<A href.{1,100}</A>\n</DIV></BODY></HTML>'
  295. describe SARE_HTML_CALL_ME spammer sign in text
  296. score SARE_HTML_CALL_ME 2.222
  297. #hist SARE_HTML_CALL_ME Loren Wilton: LW_CALLME
  298. #counts SARE_HTML_CALL_ME 1s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  299. #max SARE_HTML_CALL_ME 1964s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
  300. #counts SARE_HTML_CALL_ME 270s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  301. #counts SARE_HTML_CALL_ME 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  302. #counts SARE_HTML_CALL_ME 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
  303. #counts SARE_HTML_CALL_ME 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
  304. ######## ###################### ##################################################
  305. # Miscellaneous tag tests
  306. ######## ###################### ##################################################
  307. ######## ###################### ##################################################
  308. # Useless tags (tag structures that do nothing)
  309. # Largely submitted by Matt Yackley, with contributions by
  310. # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
  311. ######## ###################### ##################################################
  312. ######## ###################### ##################################################
  313. # Tests destined for other rule sets
  314. ######## ###################### ##################################################
  315. rawbody __SARE_PHISH_HTML_02a m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
  316. full __SARE_PHISH_HTML_02b m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
  317. meta SARE_PHISH_HTML_02 __SARE_PHISH_HTML_02a || __SARE_PHISH_HTML_02b
  318. score SARE_PHISH_HTML_02 2.500
  319. #stype SARE_PHISH_HTML_02 spamgg # phish
  320. #hist SARE_PHISH_HTML_02 Loren Wilton: SARE_PHISH_HTML_03
  321. describe SARE_PHISH_HTML_02 numeric href with https description
  322. #counts SARE_PHISH_HTML_02 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  323. #max SARE_PHISH_HTML_02 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  324. #counts SARE_PHISH_HTML_02 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
  325. #counts SARE_PHISH_HTML_02 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  326. #counts SARE_PHISH_HTML_02 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  327. #counts SARE_PHISH_HTML_02 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  328. #counts SARE_PHISH_HTML_02 5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
  329. #counts SARE_PHISH_HTML_02 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  330. #counts SARE_PHISH_HTML_02 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  331. rawbody __SARE_PHISH_HTML_03 m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
  332. full __SARE_PHISH_HTML_03a m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
  333. meta SARE_PHISH_HTML_03 __SARE_PHISH_HTML_03 || __SARE_PHISH_HTML_03a
  334. describe SARE_PHISH_HTML_03 numeric href with https description
  335. score SARE_PHISH_HTML_03 1.666
  336. #stype SARE_PHISH_HTML_03 spamg
  337. #hist SARE_PHISH_HTML_03 Loren Wilton, Feb 28 2005
  338. #counts SARE_PHISH_HTML_03 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
  339. #max SARE_PHISH_HTML_03 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
  340. #counts SARE_PHISH_HTML_03 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
  341. #counts SARE_PHISH_HTML_03 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
  342. #counts SARE_PHISH_HTML_03 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
  343. #counts SARE_PHISH_HTML_03 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
  344. #counts SARE_PHISH_HTML_03 5s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/13/05
  345. #counts SARE_PHISH_HTML_03 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
  346. #counts SARE_PHISH_HTML_03 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
  347. # EOF