# SARE file # (03/16/04) # For notes, updates, licensing, and info see: # www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm ################################## #Nothing # ################################## rawbody __SOMETHING /\S/ meta BODY_EMPTY !__SOMETHING score BODY_EMPTY 1.291 ################################## #URI tests # ################################## uri FCS_URI_NODOTS /^[^\.]*$/ describe FCS_URI_NODOTS URI found with no Dots (.) score FCS_URI_NODOTS 0.346 uri KAM_URIPARSE /(\%0[01]|\0).*\@/i describe KAM_URIPARSE Attempted use of URI bug. Very high probability of fraud. score KAM_URIPARSE 1.0 uri MY_FNY_WWW /\@www\./i describe MY_FNY_WWW Funny WWW address. score MY_FNY_WWW 1.666 uri BANK_SCAM /:ac=[A-Z,a-z,0-9,@,!,;]+/ describe BANK_SCAM Body of email contains URL that attempts to hide domain by score BANK_SCAM .55 rawbody MY_AT_IN_URI /http.\/\/\w{1,20}\@\w{3,25}\./i describe MY_AT_IN_URI Found an @ in a link. score MY_AT_IN_URI 1.666 uri AFF_ID /AFF\w+ID=/i describe AFF_ID URL contains AFF_ID= score AFF_ID 2.222 ################################## #URL redirects # ################################## uri MY_URI_REDIRECT2 /http:\/\/g.msn.com\/1SUenus\/CT\?*/i describe MY_URI_REDIRECT2 contains url of an abused unrestricted redirector score MY_URI_REDIRECT2 0.222 uri AOL_REDIR m{^https?://www\.aol\.com/clickthruredirect\.adp}i describe AOL_REDIR Has AOL Redirect URI score AOL_REDIR 1.0 uri L_URI_REDIR3 /http:(?:\/|\\)(?:\/|\\).{0,10}\.google\.com(?:\/|\\)url\?q=\s?https?:/i describe L_URI_REDIR3 open URI redirector (3) score L_URI_REDIR3 3.5 uri MK_YAHOO_REDIR_01 /http:\/\/.{0,20}\.yahoo\.com\/.{0,60}\*/i describe MK_YAHOO_REDIR_01 Contains a Yahoo! redirector. score MK_YAHOO_REDIR_01 0.158 ################################## #URL test # ################################## rawbody MY_NUMPHP /\d{2,}\.php/ describe MY_NUMPHP At least 2 numbers found in PHP script name. score MY_NUMPHP 1.531 rawbody MY_DEFAULTASP /\/default.asp\?id\=/i describe MY_DEFAULTASP Contains a likely spammer default.asp link. score MY_DEFAULTASP 2.222 ################################## #Unsubscribe URLs # ################################## rawbody MY_SPACER /(?:spacer|unsub)\.gif/i describe MY_SPACER Common .gif in spammers html code? score MY_SPACER 0.253 uri RM_u_remove /http:\/\/remove/i describe RM_u_remove text references apparently spammer remove page score RM_u_remove 0.855 uri RM_u_UnsubscribePHP /unsubscribe\.php/i describe RM_u_UnsubscribePHP text uri to unsubscribe link score RM_u_UnsubscribePHP 1.350 ################################## #HREF rules ################################## rawbody LOC_HTMLBADHREF /href[a-z]*href/i describe LOC_HTMLBADHREF href(string)href in link score LOC_HTMLBADHREF 1.666 rawbody RM_rbt_Href3dHide / I saw a mail with the following subject: score RM_ft_USAscii 0.555 header RM_st_iso8859 Subject:raw =~ /iso-8859-1/i describe RM_st_iso8859 Subject specifies display in ISO-8859 score RM_st_iso8859 1.068 header RM_st_iso8859x2 Subject:raw =~ /iso-8859-1.{1,80}iso-8859-1/i describe RM_st_iso8859x2 Subject specifies display in ISO-8859, twice score RM_st_iso8859x2 0.303 header RM_st_KS5601 Subject:raw =~ /\=\?ks_c_5601\-1987\?/i describe RM_st_KS5601 Subject specifies display in Korean?, unnecessary unless spam hides subject score RM_st_KS5601 0.888 header RM_st_USAscii Subject:raw =~ /us-ascii/i describe RM_st_USAscii Subject specifies display in US-ascii, unnecessary unless spam hides subject score RM_st_USAscii 0.033 header RM_st_utf8 Subject:raw =~ /utf-8/i describe RM_st_utf8 Subject specifies display in utf-8 score RM_st_utf8 0.608 header RM_st_windows1251 Subject:raw =~ /windows-1251/i describe RM_st_windows1251 Subject specifies display in windows-1251 score RM_st_windows1251 0.872 header RM_st_windows1255 Subject:raw =~ /windows-1255/i describe RM_st_windows1255 Subject specifies display in windows-1255 score RM_st_windows1255 0.650 ################################## #Small font rules ################################## body HTML_FONT_SIZE_ONE /[a-z].<\/font>[a-z]/i describe HTML_FONT_SIZE_ONE looks for spammers attempting to bypass filters by using 1pt characters inside suspect words. score HTML_FONT_SIZE_ONE 0.027 rawbody RM_rbt_Font0Pt /font-size:\s*[0-4]p[tx]\b/i describe RM_rbt_Font0Pt HTML includes 0- or 1-point font size; invisible text score RM_rbt_Font0Pt 1.666 describe LOC_TINY_FONT_1 Body contains 1pt font rawbody LOC_TINY_FONT_1 /[\<\{][^\>\}]*font\-size\:[ \"\']*[01][^0-9\{\<]*[\>\}]/i score LOC_TINY_FONT_1 2.222 ################################## # Tests ################################## rawbody FVGT_rb_TITLE_FREE /\<title\>.{0,25}(Free|Approved).{0.25}\<\/title\>/i describe FVGT_rb_TITLE_FREE FVGT - html page title says "free" or "approved" score FVGT_rb_TITLE_FREE 0.3 rawbody MK_BAD_HTML_24 /<title>[a-zA-Z]{15,40}<\/title>/i describe MK_BAD_HTML_24 15 to 40 consecutive characters buried in the title. score MK_BAD_HTML_24 0.658 #Uses the recipients email address for an HTML title. #Make this to your own domain #rawbody MK_BAD_HTML_26 /<TITLE>.*{0.50}\@yourdomain\.com/i #describe MK_BAD_HTML_26 Puts a user @ mydomain.com in the title tags #score MK_BAD_HTML_26 0.3 ################################## #<TAG alt=.*> tests ################################## rawbody MK_BAD_HTML_15 /alt\=.{0,10}please wait/i describe MK_BAD_HTML_15 Asks you to wait while SPAM loads. score MK_BAD_HTML_15 0.4 rawbody MK_BAD_HTML_27 /alt\=Loading/i describe MK_BAD_HTML_27 Asks you to wait while SPAM loads. score MK_BAD_HTML_27 0.4 ################################## #<!-- Comment tests ################################## rawbody MY_HTML_OBFU /<!?\-?\-?[a-zA-Z0-9]{8,}>|<[^pbiu]>/i describe MY_HTML_OBFU too long or short HTML comments score MY_HTML_OBFU 0.326 rawbody MK_BAD_HTML_23 /<!--\${1,10}-->/i describe MK_BAD_HTML_23 Money money comments score MK_BAD_HTML_23 1.1 ################################## #<BR> tests ################################## rawbody MY_MANY_BR /<br><br><br><br><br>/i describe MY_MANY_BR Tooo many <br>'s! score MY_MANY_BR 0.920 ################################## #Image tests ################################## rawbody MY_GIF_OBFU /\.(?:(g|\%67)\%69(\%66|f)|\%67(i|\%69)(\%66|f)|(g|\%67)(i|\%69)\%66)/i describe MY_GIF_OBFU Tries to OBFU .gif score MY_GIF_OBFU 0.661 rawbody MY_SHRT_IMG /\/.{1,3}\.(jpg|gif)/ describe MY_SHRT_IMG 1-3 letter gif or jpeg in url. score MY_SHRT_IMG 0.848 rawbody MY_DIMENSION_GIF /\dx\d\.gif/i describe MY_DIMENSION_GIF Dimensional jpg,gif: 1x1.gif, 2x2.gif score MY_DIMENSION_GIF 0.865 rawbody MY_GIF_NUMBERS /\.gif\d{2,}/i describe MY_GIF_NUMBERS Tracking numbers found righ after .gif score MY_GIF_NUMBERS .68 ################################## #Frame tests # ################################## meta MK_HIDING_IN_FRAMES_01 HTML_RELAYING_FRAME && MK_BAD_HTML_12 && MK_HIDING_IN_FRAMES_02 describe MK_HIDING_IN_FRAMES_01 Bad HTML form. Trying to hide a word in frame, what a shame. score MK_HIDING_IN_FRAMES_01 2.9 rawbody RM_rb_NFrames /<frame><noframes>\w*<\/noframes><\/frame>/i describe RM_rb_NFrames Body appears to hide anti-anti-spam text in frame score RM_rb_NFrames 1.96 # 96 spam, 0 ham, Sep 5 2003 ################################## #<marquee> tests # ################################## rawbody MK_HTML_WE_DONT_LIKE_01 /<marquee\s?.{1,50}/i describe MK_HTML_WE_DONT_LIKE_01 Uses a <marquee> tag, we don't like those. score MK_HTML_WE_DONT_LIKE_01 1.330 ################################## #<HTML> tag tests # ################################## #<HTML> tag tests rawbody FVGT_rb_AFTER_HTML /\<\/html\>.{3,25}/i describe FVGT_rb_AFTER_HTML FVGT - what comes after the closing HTML tag? score FVGT_rb_AFTER_HTML 1.666 rawbody FVGT_rb_BEFORE_HTML /<.{1}><HTML>/i describe FVGT_rb_BEFORE_HTML FVGT - what tag comes before the HTML tag? score FVGT_rb_BEFORE_HTML 0.111 rawbody MK_BAD_HTML_13 /.{1,50}<html>/i describe MK_BAD_HTML_13 Content before the <HTML> tag score MK_BAD_HTML_13 0.626 rawbody MK_BAD_HTML_03 /\t<\/html>/i describe MK_BAD_HTML_03 Bad HTML form. Tabbed your closing html tag. score MK_BAD_HTML_03 1.561 rawbody L_rb_BadHtml1 /<\!\w{18,60}>/i describe L_rb_BadHtml1 body contains invalid HTML spamsign (RM) score L_rb_BadHtml1 1.050 #Added 7/10/2003 #Check for a beginning HTML tag <HTML> rawbody __MK_HTML_TAG_START /<html/i #Check for a closing HTML tag </html> rawbody __MK_HTML_TAG_END /<\/html>/i #Check to see if the HTMl message is made correctly. Seeing a lot of SPAM that isn't meta MK_BAD_HTML_04 HTML_MESSAGE && !__MK_HTML_TAG_START && !__MK_HTML_TAG_END describe MK_BAD_HTML_04 Bad HTML form. Doesn't have beginning or closing HTML tags. score MK_BAD_HTML_04 0.3 #Same as MK_BAD_HTML_4, except we just check for a beginning tag without and end tag meta MK_BAD_HTML_05 HTML_MESSAGE && __MK_HTML_TAG_START && !__MK_HTML_TAG_END describe MK_BAD_HTML_05 Bad HTML form. Has a beginning HTML tag and no end tag. score MK_BAD_HTML_05 0.3 #Same as MK_BAD_HTML_4, except we just check for an end tag without and beginning tag meta MK_BAD_HTML_06 HTML_MESSAGE && !__MK_HTML_TAG_START && __MK_HTML_TAG_END describe MK_BAD_HTML_06 Bad HTML form. Has an ending HTML tag and no beginning tag. score MK_BAD_HTML_06 0.3 rawbody MK_BAD_HTML_16 /<HTML><HEAD><TITLE>/i describe MK_BAD_HTML_16 Take 3 top tags in a row. score MK_BAD_HTML_16 0.770 ################################## #<p> tag tests # ################################## rawbody MK_BAD_HTML_02 /<p\s{0,50}?\S{0,50}>\s{0,50}?\ \;/i describe MK_BAD_HTML_02 Bad HTML form. Breaking lines with paragraphs. score MK_BAD_HTML_02 0.681 ################################## #Javascript and object tests # ################################## rawbody MK_BAD_HTML_07 /<body onload \= \"window\.open/i describe MK_BAD_HTML_07 Bad HTML form. Tries to load a javascript pop up. score MK_BAD_HTML_07 2.3 rawbody MK_BAD_HTML_14 /codebase\=\"https:\/\/download\.macromedia\.com\/pub\/shockwave/i describe MK_BAD_HTML_14 Tries to load flash animation in an email, WTF? score MK_BAD_HTML_14 1.9 ################################## #Multiple tags that do nothing # ################################## rawbody MK_BAD_HTML_17 /(<i><\/i>.{1,5}){4,6}/i describe MK_BAD_HTML_17 Multiple <i></i> (4-6) score MK_BAD_HTML_17 0.444 rawbody MK_BAD_HTML_18 /(<i><\/i>.{1,5}){7,8}/i describe MK_BAD_HTML_18 Multiple <i></i> (7-8) score MK_BAD_HTML_18 0.444 rawbody MK_BAD_HTML_19 /(<i><\/i>.{1,5}){9,10}/i describe MK_BAD_HTML_19 Multiple <i></i> (9-10) score MK_BAD_HTML_19 0.444 rawbody MK_BAD_HTML_20 /(<b><\/b>.{1,5}){4,6}/i describe MK_BAD_HTML_20 Multiple <b></b> (4-6) score MK_BAD_HTML_20 0.222 rawbody MK_BAD_HTML_21 /(<b><\/b>.{1,5}){7,8}/i describe MK_BAD_HTML_21 Multiple <b></b> (7-8) score MK_BAD_HTML_21 0.111 rawbody MK_BAD_HTML_22 /(<b><\/b>.{1,5}){9,10}/i describe MK_BAD_HTML_22 Multiple <b></b> (9-10) score MK_BAD_HTML_22 0.111 ################################## #Parenthesis tests # ################################## body MY_CHARPARENS /[a-zA-Z]\([a-zA-Z]\)[a-zA-Z]/ describe MY_CHARPARENS Char(char)Char score MY_CHARPARENS 0.892