70_sare_oem.cf 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
  1. # SARE OEM Ruleset for SpamAssassin 2.5x and higher
  2. # Version: 1.05.14
  3. # Created: 2004-04-14
  4. # Modified: 2005-12-27
  5. # Changes:
  6. # License: Artistic - see http://www.rulesemporium.com/license.txt
  7. # Current Maintainer: Fred Tarasevicius tech2@i-is.com w/ Additions by Jesse Houwing j.houwing@rulesemporium.com
  8. # Current Home: http://www.rulesemporium.com/rules/70_sare_oem.cf
  9. # Requirements: SpamAssassin 2.5x or higher
  10. # SA 3.0 compliant: Yes
  11. # RULES TO CATCH PEOPLE TRYING TO SELL OEM SOFTWARE TO CONSUMERS.
  12. #
  13. #
  14. #
  15. ## ADDED TO RULESET
  16. # Microsoft Windows 2000 Professional
  17. # Microsoft Windows 2003 Server
  18. # Microsoft Windows XP Media Center Edition
  19. # Microsoft Windows XP PRO/HOME
  20. # Microsoft Windows Small Business Server 2003 Standard Edition
  21. # Microsoft Office XP
  22. # Microsoft Office 2003
  23. # Microsoft Office Publisher
  24. # Microsoft Project 2002
  25. # Microsoft SQL Server 2000 Enterprise Edition
  26. # Microsoft Visual Studio
  27. # Microsoft Visio 2004
  28. # Microsoft Money 2004
  29. # Microsoft FrontPage 2003
  30. # Norton System Works 2003 Deluxe
  31. # Norton Antivirus Corporate Edition 2003
  32. # Adobe Acrobat 6.0 Pro
  33. # Adobe Creative Suite
  34. # Adobe Illustrator 10
  35. # Adobe In Design 2.0
  36. # Adobe InDesign 2
  37. # Adobe PageMaker 7.01
  38. # Adobe Photoshop 7
  39. # Adobe Photoshop Elements 2
  40. # Adobe Premiere
  41. # 3D Studio Max
  42. # AutoCAD 2005
  43. # Chief Architect 9.0
  44. # Cool Edit Pro v2.1
  45. # Corel Draw 12 Graphic Suite
  46. # Corel Draw 11 Graphic Suite
  47. # Corel Painter 8
  48. # Dragon Naturally Speaking
  49. # DVDXCopy Platinum 4.0.38
  50. # DVDXCopy Platinum v3.2.1
  51. # EasyRecovery
  52. # Macromedia Dreamweaver MX
  53. # Macromedia Fireworks MX
  54. # Macromedia Flash MX
  55. # Macromedia Studio MX
  56. # Mathematica 5.0
  57. # Nero Burning ROM 6 Ultra Edition
  58. # Nero 6 Ultra
  59. # PowerQuest Drive Image 7
  60. # QuarkXPress 5.01
  61. # QuarkXpress 6
  62. # Sonic Foundry DVD Architect 1.0c
  63. # Winfax PRO 10
  64. # WordPerfect Office 10
  65. #
  66. ##
  67. # Popular sets.
  68. body __OEM_ADOBE_1 /Ad[o0]b[e3] In ?Design/i
  69. body __OEM_ADOBE_2 /Ph[o0]t[o0]sh[o0]{1,2}p (?:[5678]|CS|Elements)/i
  70. body __OEM_ADOBE_3 /Ad[o0]b[e3] Acrobat \d\.?\d? Pro/i
  71. body __OEM_ADOBE_4 /Ad[o0]b[e3] Creative Suite/i
  72. body __OEM_ADOBE_5 /Ad[o0]b[e3] Illustrator \d\d/i
  73. body __OEM_ADOBE_6 /Ad[o0]b[e3] Premiere/i
  74. body __OEM_ADOBE_7 /Ad[o0]b[e3] PageMaker \d/i
  75. body __OEM_MACROMED_1 /Macromedia Dreamwe?aver MX/i
  76. body __OEM_MACROMED_2 /Fireworks MX/i
  77. body __OEM_MACROMED_3 /Macromedia Flash MX/i
  78. body __OEM_MACROMED_4 /Macromedia Studio MX/i
  79. body __OEM_MACROMED_5 /Studio MX \d{4}/i
  80. body __OEM_MS_1 /W[i|]nd[o0]ws (?:NT 4\.0|98 Second|2[0O]{2}3 Server|2[0O]{3} Pr[o0]|XP Media Center|XP (?:Pr[o0]|H[o0]me|C[o0]rp)|Small)/i
  81. body __OEM_MS_2 /[O0]ff[i|]ce (?:XP|2[0O][0O]\d|Small|Publisher|System Pro)/i
  82. body __OEM_MS_3 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Visual Studio/i
  83. body __OEM_MS_4 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Visio 200\d/i
  84. body __OEM_MS_5 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Money 200\d/i
  85. body __OEM_MS_6 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) Project 200\d/i
  86. body __OEM_MS_7 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) SQL Server (?:2000|7)/i
  87. body __OEM_MS_8 /W[i|]nd[o0]w(?:XP|2[0o][0o]3)/i
  88. body __OEM_MS_9 /(?:M[i|]cr[o0][s5\$][o0]ft|M[S\$]) FrontPage 2003/i
  89. body __OEM_NORTON_1 /N[o0]rt[o0]n Ant[i|](?:\s*)?v[i|]rus (?:Corporate|200\d|Pr[o0])/i
  90. body __OEM_NORTON_2 /System ?Works (?:Pro)? ?2[0O][0O][34]/i
  91. # Used in the final meta to check if at least one of this companies prod's were listed.
  92. meta __ONE_PLUS_ADOBE (__OEM_ADOBE_1 || __OEM_ADOBE_2 || __OEM_ADOBE_3 || __OEM_ADOBE_4 || __OEM_ADOBE_5 || __OEM_ADOBE_6 || __OEM_ADOBE_7)
  93. meta __ONE_PLUS_MACROM (__OEM_MACROMED_1 || __OEM_MACROMED_2 || __OEM_MACROMED_3 || __OEM_MACROMED_4 || __OEM_MACROMED_5)
  94. meta __ONE_PLUS_MSOFT (__OEM_MS_1 || __OEM_MS_2 || __OEM_MS_3 || __OEM_MS_4 || __OEM_MS_5 || __OEM_MS_6 || __OEM_MS_7 || __OEM_MS_8 || __OEM_MS_9)
  95. meta __ONE_PLUS_NORTON (__OEM_NORTON_1 || __OEM_NORTON_2)
  96. meta __MANY_ADOBE_1 ((__OEM_ADOBE_1 + __OEM_ADOBE_2 + __OEM_ADOBE_3 + __OEM_ADOBE_4 + __OEM_ADOBE_5 + __OEM_ADOBE_6 + __OEM_ADOBE_7) > 1)
  97. meta __MANY_MACROM_1 ((__OEM_MACROMED_1 + __OEM_MACROMED_2 + __OEM_MACROMED_3 + __OEM_MACROMED_4 + __OEM_MACROMED_5) > 1)
  98. meta __MANY_MSOFT_1 ((__OEM_MS_1 + __OEM_MS_2 + __OEM_MS_3 + __OEM_MS_4 + __OEM_MS_5 + __OEM_MS_6 + __OEM_MS_7 + __OEM_MS_8 + __OEM_MS_9) > 1)
  99. meta __MANY_ADOBE_2 ((__OEM_ADOBE_1 + __OEM_ADOBE_2 + __OEM_ADOBE_3 + __OEM_ADOBE_4 + __OEM_ADOBE_5 + __OEM_ADOBE_6 + __OEM_ADOBE_7) > 2)
  100. meta __MANY_MACROM_2 ((__OEM_MACROMED_1 + __OEM_MACROMED_2 + __OEM_MACROMED_3 + __OEM_MACROMED_4 + __OEM_MACROMED_5) > 2)
  101. meta __MANY_MSOFT_2 ((__OEM_MS_1 + __OEM_MS_2 + __OEM_MS_3 + __OEM_MS_4 + __OEM_MS_5 + __OEM_MS_6 + __OEM_MS_7 + __OEM_MS_8 + __OEM_MS_9) > 2)
  102. # Catch OEM style price lines
  103. body __WINDOWS_PRICE /windows.{4,40}\$\s?\d\d/i
  104. body __PHOTOSH_PRICE /Photoshop.{4,40}\$\s?\d\d/i
  105. body __CREATIV_PRICE /Creative.{4,40}\$\s?\d\d/i
  106. body __ACROBAT_PRICE /Acrobat.{4,40}\$\s?\d\d/i
  107. body __ILLUSTR_PRICE /Illustrator.{4,40}\$\s?\d\d/i
  108. meta __POPULAR_PRICES2 ((__WINDOWS_PRICE + __PHOTOSH_PRICE + __CREATIV_PRICE + __ACROBAT_PRICE + __ILLUSTR_PRICE) > 1)
  109. meta SARE_OEM_POP_PRICES3 ((__WINDOWS_PRICE + __PHOTOSH_PRICE + __CREATIV_PRICE + __ACROBAT_PRICE + __ILLUSTR_PRICE) > 2)
  110. score SARE_OEM_POP_PRICES3 1.931
  111. meta SARE_OEM_PRODS_FEW ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 1)
  112. meta SARE_OEM_PRODS_1 ((__MANY_ADOBE_1 + __MANY_MACROM_1 + __MANY_MSOFT_1 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 1)
  113. meta SARE_OEM_PRODS_2 ((__MANY_ADOBE_1 + __MANY_ADOBE_2 + __MANY_MACROM_1 + __MANY_MACROM_2 + __MANY_MSOFT_1 + __MANY_MSOFT_2 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 3)
  114. meta SARE_OEM_PRODS_3 ((__MANY_ADOBE_1 + __MANY_ADOBE_2 + __MANY_MACROM_1 + __MANY_MACROM_2 + __MANY_MSOFT_1 + __MANY_MSOFT_2 + __ONE_PLUS_NORTON + __POPULAR_PRICES2) > 4)
  115. # MISC others
  116. body __OEM_3DSTUDIO /3D Studio Max/i
  117. body __OEM_AUTOCAD /AutoCAD \d{2,4}/i
  118. body __OEM_CHIEF_ARCH /Chief Architect \d/
  119. body __OEM_COOLEDIT /Cool Edit Pro/i
  120. body __OEM_COREL_1 /Corel ?Draw (?:\d{1,2}|Graphic)/i
  121. body __OEM_COREL_2 /Corel ?Painter 8/i
  122. body __OEM_DRAGON /Dragon Naturally Speaking/i
  123. body __OEM_DVDXCOPY /DVDXCopy Platinum (?:\d|v)/i
  124. body __OEM_EASYRECOVER /EasyRecovery/i
  125. body __OEM_MATHEMATICA /Mathematica \d/i
  126. body __OEM_NEROBURNING /Nero (?:Burning (?:Rom)?\s*\d|6 ultra)/i
  127. body __OEM_POWERQU /PowerQuest Drive Image \d/i
  128. body __OEM_QUARKXPRESS /QuarkXpress \d/i
  129. body __OEM_QUICKBOOKS /QuickBooks Pro 200\d/i
  130. body __OEM_SONIC_FOUND /Sonic Foundry DVD/i
  131. body __OEM_ULEAD_1 /Ulead DVD Workshop/i
  132. body __OEM_WINFAX /Winfax PRO \d\d/i
  133. body __OEM_WORDPERF /WordPerfect (?:\d{2}|Office)/i
  134. meta __OEM_OTHERS_AM (__OEM_3DSTUDIO || __OEM_AUTOCAD || __OEM_CHIEF_ARCH || __OEM_COREL_1 || __OEM_COREL_2 || __OEM_DRAGON || __OEM_DVDXCOPY || __OEM_EASYRECOVER || __OEM_MATHEMATICA)
  135. meta __OEM_OTHERS_NP (__OEM_NEROBURNING || __OEM_POWERQU)
  136. meta __OEM_OTHERS_QZ (__OEM_QUARKXPRESS || __OEM_QUICKBOOKS || __OEM_SONIC_FOUND || __OEM_ULEAD_1 || __OEM_WINFAX || __OEM_WORDPERF)
  137. meta __OEM_OTHERS_ALL (__OEM_OTHERS_AM || __OEM_OTHERS_NP || __OEM_OTHERS_QZ)
  138. # If we found some of the big players, look for some other guys, and add more points if found.
  139. meta SARE_OEM_AND_OTHER (SARE_OEM_PRODS_1 && __OEM_OTHERS_ALL)
  140. # A combined meta test to count overall number of products listed.
  141. meta SARE_PRODUCTS_02 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 1)
  142. meta SARE_PRODUCTS_03 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 2)
  143. meta SARE_PRODUCTS_04 ((__ONE_PLUS_ADOBE + __ONE_PLUS_MACROM + __ONE_PLUS_MSOFT + __ONE_PLUS_NORTON + __OEM_OTHERS_AM + __OEM_OTHERS_NP + __OEM_OTHERS_QZ) > 3)
  144. score SARE_OEM_PRODS_FEW 0.879
  145. score SARE_OEM_PRODS_1 0.753
  146. score SARE_OEM_PRODS_2 0.897
  147. score SARE_OEM_PRODS_3 0.951
  148. score SARE_OEM_AND_OTHER 1.259
  149. score SARE_PRODUCTS_02 0.375
  150. score SARE_PRODUCTS_03 0.875
  151. score SARE_PRODUCTS_04 1.75
  152. meta SARE_PRODS_LOTS ((SARE_PRODUCTS_02 + SARE_PRODUCTS_03 + SARE_PRODUCTS_04) > 2)
  153. score SARE_PRODS_LOTS 1.9
  154. # Added for Fake years like 2OO3 note, that is not: 2003.
  155. body SARE_OEM_FAKE_YEAR /\b2(?!00)[O0]{2}\d\b/
  156. score SARE_OEM_FAKE_YEAR 1.70
  157. body SARE_OEM_PRO_DOL /Professional .{0,3}\$\s?\d\d/i
  158. score SARE_OEM_PRO_DOL 0.75
  159. body SARE_OEM_WIN_DOL /Windows.{1,9}\$\s?\d\d/i
  160. score SARE_OEM_WIN_DOL 0.75
  161. body SARE_OEM_NEW_TITLES /NEW TITLES/
  162. score SARE_OEM_NEW_TITLES 0.75
  163. body SARE_OEM_MONEY_ADOBE /\$\d\d\d?\s?Adobe/i
  164. score SARE_OEM_MONEY_ADOBE 0.75
  165. body SARE_OEM_MONEY_OFFIC /\$\d\d\d?\s?Office/i
  166. score SARE_OEM_MONEY_OFFIC 0.75
  167. body SARE_OEM_MONEY_MS /\$\d\d\d?\s?Microsoft/i
  168. score SARE_OEM_MONEY_MS 0.75
  169. body SARE_OEM_MONEY_WIN /\$\d\d\d?\s?Windows/i
  170. score SARE_OEM_MONEY_WIN 0.75
  171. uri SARE_OEM_UPPER_EYE /eyebrow-upper-left-corner/
  172. score SARE_OEM_UPPER_EYE 0.95
  173. # .oem in URL
  174. uri SARE_OEM_DOT_URI /\.oem/i
  175. score SARE_OEM_DOT_URI 0.094
  176. #counts SARE_OEM_DOT_URI 0s/0h of 40645 corpus (35355s/5290h MY) 12/26/05
  177. #counts SARE_OEM_DOT_URI 5s/0h of 9789 corpus (4888s/4901h FT) 12/26/05
  178. #counts SARE_OEM_DOT_URI 71s/0h of 40795 corpus (31049s/9746h ML) 12/26/05
  179. ##############################################################################
  180. # Common phrases in OEM spam
  181. #
  182. # Added by Jesse Houwing
  183. # j.houwing@rulesemporium.com
  184. body __SARE_OEM_1A /(?:normal|r.?e.?t.?a.?i.?l)\s*(?:p.?r.?i.?c.?e)?:?\s*(?:\$\s*)?\d/i
  185. body __SARE_OEM_1B /(?:our|my)(?:\s*(?:low|online))?\s*p.?r.?i.?c.?e:?\s*(?:\$\s*)?\d/i
  186. body __SARE_OEM_1C /you\s*s.?a.?v.?e:?\s*(?:\$\s*)?\d/i
  187. body __SARE_OEM_2A /(?:normal|r.?e.?t.?a.?i.?l)\s*(?:p.?r.?i.?c.?e)/i
  188. body __SARE_OEM_2B /(?:our|my)(?:\s*(?:l[o0]w|online))?\s*p.?r.?i.?c.?e/i
  189. body __SARE_OEM_2C /you\s*s.?a.?v.?e/i
  190. body SARE_OEM_OEMCD /\boem.?cd/i
  191. body SARE_OEM_REDPR /reduced our prices/i
  192. body SARE_OEM_BRC /\(OEM\)/i
  193. body SARE_OEM_SOFT_IS /\b(?:\bsoftware\b.{1,15}\b[OQ0]EM\b|\b[OQ0]EM\b.{1,15}\bsoftware\b)\b/i
  194. body SARE_OEM_OBFU /(?:(?!oem)\b[o0][e3]m\b|(?!soft ?wares?)\b[s5$].?[o0].?f.?t.?w.?[\@a].?r.?[e3].?[s5]?\b)/
  195. rawbody SARE_OEM_S_DOL m{(?:<s>[^\$]*?\$.*?</s>|<s>.*?\d+\.\d+.*?</s>|text-decoration:\sline-through[^\$]{0,40}?\$|text-decoration:\sline-through.{0,40}\d+\.\d+)}i
  196. rawbody SARE_OEM_S_PRICE /\.\w*price\s*{/i
  197. meta SARE_OEM_A_1 __SARE_OEM_1A + __SARE_OEM_1B + __SARE_OEM_1C > 1
  198. meta SARE_OEM_A_2 __SARE_OEM_1A + __SARE_OEM_1B + __SARE_OEM_1C > 2
  199. meta SARE_OEM_B_3 __SARE_OEM_2A && __SARE_OEM_2B && __SARE_OEM_2C && !SARE_OEM_A_2
  200. score SARE_OEM_OBFU 1.0
  201. score SARE_OEM_B_3 2.0
  202. score SARE_OEM_SOFT_IS 1.0
  203. score SARE_OEM_BRC 1.0
  204. score SARE_OEM_S_DOL 1.2
  205. score SARE_OEM_OEMCD 0.8
  206. score SARE_OEM_REDPR 0.8
  207. score SARE_OEM_A_1 2.0
  208. score SARE_OEM_A_2 1.5
  209. score SARE_OEM_S_PRICE 1.0
  210. describe SARE_OEM_OBFU Obfuscated OEM terms
  211. describe SARE_OEM_BRC OEM in braces
  212. describe SARE_OEM_SOFT_IS Software that is OEM
  213. describe SARE_OEM_S_DOL One strike, you're out
  214. describe SARE_OEM_OEMCD Mentions a OEM cd
  215. describe SARE_OEM_REDPR Mentions lower prices
  216. describe SARE_OEM_A_1 Common OEM spam phrases
  217. describe SARE_OEM_A_2 More common OEM spam phrases
  218. describe SARE_OEM_B_3 More common OEM spam phrases
  219. describe SARE_OEM_S_PRICE CSS style that ends with price
  220. ##############################################################################
  221. # Bob Menschel's Contributions.
  222. body RM_bpoem_InstantDL /instant download/i
  223. describe RM_bpoem_InstantDL Contains spammer phrasing - oem s/w
  224. score RM_bpoem_InstantDL 1.820
  225. #hist RM_bpoem_InstantDL Created by Bob Menschel Sep 10 2004
  226. #counts RM_bpoem_InstantDL 82s/0h of 66096 corpus (40118s/25978h RM) 09/12/04
  227. body RM_bpc_OpenNewSite /opened a NEW site/i
  228. describe RM_bpc_OpenNewSite common spammer phrasing
  229. score RM_bpc_OpenNewSite 1.210
  230. #hist RM_bpc_OpenNewSite Created by Bob Menschel Sep 10 2004
  231. #counts RM_bpc_OpenNewSite 21s/0h of 66096 corpus (40118s/25978h RM) 09/12/04
  232. body RM_bpc_WorldBestSW /WORLD'?s? BEST software/i
  233. describe RM_bpc_WorldBestSW common spammer phrasing
  234. score RM_bpc_WorldBestSW 1.200
  235. #hist RM_bpc_WorldBestSW Created by Bob Menschel Sep 10 2004
  236. #counts RM_bpc_WorldBestSW 20s/0h of 66096 corpus (40118s/25978h RM) 09/12/04
  237. # EOF