# SARE file
# (03/16/04)
# For notes, updates, licensing, and info see:
# www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm

########################
#Message-Id signatures #
########################
header		RATWR1_MESSID       		Message-Id =~ /^<[A-Z]+-\d+@[a-z']+>$/
describe	RATWR1_MESSID       		Message-Id matches a known spammer pattern (XXX- -999@xxxx)
score		RATWR1_MESSID       		1.188

header		RATWR3_MESSID       		Message-ID =~ /<[A-F0-9]{32}\@/
describe	RATWR3_MESSID       		Message-ID has ratware pattern (32 HEX@)
score		RATWR3_MESSID       		0.1

header		RATWR5_MESSID       		Message-ID =~ /<\d\d?[\$-]/
describe	RATWR5_MESSID       		Message-ID has ratware pattern (9-, 9$, 99-)
score		RATWR5_MESSID       		1.111

header		RATWR6_MESSID       		Message-ID =~ /<0{6}\d{6}\$\d/
describe	RATWR6_MESSID       		Message-ID has ratware pattern (000009999$9)
score		RATWR6_MESSID       		0.055

header		RATWR7a_MESSID      		Message-ID =~ /<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\@/
describe	RATWR7a_MESSID      		Message-ID has ratware pattern (12hex$8hex$8hex@)
score		RATWR7a_MESSID      		0.252

header		RATWR7b_MESSID      		Message-ID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/
describe	RATWR7b_MESSID      		Message-ID has ratware pattern (7hex$4hex$4hex@)
score		RATWR7b_MESSID      		0.1

header		RATWR8_MESSID       		Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe	RATWR8_MESSID       		Message-ID has ratware pattern (excessive dashes and dollars)
score		RATWR8_MESSID       		0.694

header		RATWR9_MESSID       		Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe	RATWR9_MESSID       		Message-ID has ratware pattern (9999.99999999@)
score		RATWR9_MESSID       		0.802

header		RATWR10_MESSID      		Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe	RATWR10_MESSID      		Message-ID has ratware pattern (HEXHEX.HEXHEX@)
score		RATWR10_MESSID      		0.646

header		RATWR11_MESSID      		Message-ID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe	RATWR11_MESSID      		Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score		RATWR11_MESSID      		0.1

header		RATWR12_MESSID      		Message-ID =~ /<\d{10}\.\d{4}\@/
describe	RATWR12_MESSID      		Message-ID has ratware pattern (999999.999@)
score		RATWR12_MESSID      		1.133

header		RATWR14_MESSID      		Message-ID =~ /<\d{5}\.\d{7}\@/
describe	RATWR14_MESSID      		Message-ID has ratware pattern (99999.9999999@)
score		RATWR14_MESSID      		0.1

header		RATWR15_MESSID      		Message-ID =~ /<1z.+\@1z/
describe	RATWR15_MESSID      		Message-ID has ratware pattern (1zXXXX@1z)
score		RATWR15_MESSID      		0.1

header		RATWR16_MESSID      		Message-ID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
describe	RATWR16_MESSID      		Message-ID has ratware pattern (9.9.99.9999999hex@
score		RATWR16_MESSID      		0.722

header		RATWR17_MESSID      		Message-ID =~ /<200[3456][.:][01]\d[.:][0123]\d/
describe	RATWR17_MESSID      		Message-ID has ratware pattern (YYYY.MM.DD)
score		RATWR17_MESSID      		0.655

header		RATWR18_MESSID      		Message-ID =~ /xeg\.tf\@/
describe	RATWR18_MESSID      		Message-ID has ratware pattern (xeg.tf@)
score		RATWR18_MESSID      		0.1

header		RATWR19_MESSID      		Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe	RATWR19_MESSID      		Message-ID has ratware pattern (XXXXXXXXXXXX[.xxxxxx]@)
score		RATWR19_MESSID      		0.405

header		RATWR20_MESSID      		Message-ID =~ /\@((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe	RATWR20_MESSID      		Message-ID has ratware pattern (@255.255.255.255)
score		RATWR20_MESSID      		0.625

header  	RM_hm_ShortMsgid12  		Message-ID =~ /^.{1,12}$/
describe	RM_hm_ShortMsgid12  		Message ID is too short to be valid. Possible spam/virus sign
score   	RM_hm_ShortMsgid12  		0.650

header  	LOC_BADYAHOOMSGID1  		Message-ID =~ /\@yahoo.com/i
describe	LOC_BADYAHOOMSGID1  		From Charles Gregory <cgregory@hwcn.org>
score   	LOC_BADYAHOOMSGID1  		1.166

header  	LOC_BADYAHOOMSGID2  		Message-ID =~ /[A-Z]{8,}\@yahoo.com/
describe	LOC_BADYAHOOMSGID2  		From Charles Gregory <cgregory@hwcn.org>
score   	LOC_BADYAHOOMSGID2  		0.983

header  	LOC_BADYAHOOMSGID3  		Message-ID =~ /[A-Z]{8}\@yahoo.com/
describe	LOC_BADYAHOOMSGID3  		From Charles Gregory <cgregory@hwcn.org>
score   	LOC_BADYAHOOMSGID3  		0.983

header  	RM_hm_EmtyMsgid     		Message-ID =~ /^\s*$/
describe	RM_hm_EmtyMsgid     		Message ID is empty, or just spaces - probable spamsign
score   	RM_hm_EmtyMsgid     		0.316

header 		MY_MESSAGEID_KIEV 		Message-ID =~ /\@MOHA>/
describe	MY_MESSAGEID_KIEV 		Hopless spammer message ID
score 		MY_MESSAGEID_KIEV 		1.0


#########################
#Ratware mailers        #
#########################
header		T_RATWARE_MAILER_01		X-Mailer =~ /BroadcastHTML Mailer/i
describe	T_RATWARE_MAILER_01		Ratware mailer 1
score		T_RATWARE_MAILER_01		0.3

#X-Mailer: SuperMail-2
header		T_RATWARE_MAILER_02		X-Mailer =~ /SuperMail-2/i
describe	T_RATWARE_MAILER_02		Ratware mailer 2
score		T_RATWARE_MAILER_02		0.3

#Shows up at bottom of email when you use unregistered version.
body		T_RATWARE_MAILER_03		/HotCast Mass E-Mailer/i
describe	T_RATWARE_MAILER_03		Ratware mailer 3
score		T_RATWARE_MAILER_03		0.3

header		T_RATWARE_MAILER_04		X-Mailer =~ /PowerMTA\(TM\) v1\.5/
describe	T_RATWARE_MAILER_04		Sent by PowerMTA
score		T_RATWARE_MAILER_04		0.3

body		T_RATWARE_MAILER_05 		/http:\/\/www\.adminsystem\.net \(Trial Version Only\)/
describe	T_RATWARE_MAILER_05 		Ratware mailer.
score		T_RATWARE_MAILER_05 		0.3

header    	RM_hxm_mPOPwebMail     		X-Mailer =~ /mPOP Web-Mail/
describe  	RM_hxm_mPOPwebMail     		Uses mPOP Web-Mail Mailer often used by spammers
score     	RM_hxm_mPOPwebMail     		1.000  # 855s/0h of 87289 corpus (70035s/17254h)

#X-Originating-IP: [rx357.comIP]
header		T_RATWARE_MAILER_07		X-Originating-IP =~ /\[.{0,10}\.(?:com|net|org)IP\]/i
describe	T_RATWARE_MAILER_07		Ratware mailer 7
score		T_RATWARE_MAILER_07		1.66

header		FVGT_h_MAILLENNIUM		ALL =~ /added by Maillennium/
describe	FVGT_h_MAILLENNIUM		FVGT - something was added by Maillennium
score		FVGT_h_MAILLENNIUM		0.5

#############################################
#Ratware Oops                               #
#############################################
rawbody		T_RATWARE_OOPS_01		/(?:<(?:\/|!|!--)?(?:RND(?:LT|MX|DG|MS|LINES?)\[?[0-9]?[0-9]?\]?|RANDOM_TEST))>/i
describe	T_RATWARE_OOPS_01		Spammer doesn't know how to use ratware properly (<>)
score		T_RATWARE_OOPS_01		6.1

rawbody		T_RATWARE_OOPS_02		/\%\s?(?:RANDOM_@?(?:WORD|TEXT|NUMBERS?|CHARS?|=|NLS[0-9]|DATE|TIME)|PRIORITY_NUMBER|RND_?(?:\:.{1,10}|AD|ALL_|ALL_OTHER_MEDS|BUY|BUY_TAG|DG|IMA|LINES?|LT|MS|MEDS?|MX|SYB|TEXT|URL|WORD|([UL]C_)?CHAR)|MESSAGE_BODY|BOUNDARY|STRING_CONST|CUSTOM[0-9]_)/i
describe	T_RATWARE_OOPS_02		Spammer doesn't know how to use ratware properly (%)
score		T_RATWARE_OOPS_02		6.1


rawbody		T_RATWARE_OOPS_03		/!RANDOM_(?:NUMBERS?|CHARS?)!/i
describe	T_RATWARE_OOPS_03		Spammer doesn't know how to use ratware properly (!!)
score		T_RATWARE_OOPS_03		6.1

rawbody		T_RATWARE_OOPS_04		/\[RANDOMIZE\]/i
describe	T_RATWARE_OOPS_04		Spammer doesn't know how to use ratware properly ([])
score		T_RATWARE_OOPS_04		6.1

rawbody		T_RATWARE_OOPS_05		/\$(?:R\s?A\s?N\s?D\s?O\s?M\s?I\s?Z\s?E|(?:|FIRST|LAST)NAME|STRIPPEDUSER)/i
describe	T_RATWARE_OOPS_05		Spammer doesn't know how to use ratware properly ($)
score		T_RATWARE_OOPS_05		6.1

rawbody		T_RATWARE_OOPS_06		/(?:random_subj|\\messages\\names.{0,5}|lines|words)\.txt/i
describe	T_RATWARE_OOPS_06		Spammer doesn't know how to use ratware properly (.txt)
score		T_RATWARE_OOPS_06		6.1

rawbody		T_RATWARE_OOPS_07		/https?:\/\/.{0,20}<urlmask/i
describe	T_RATWARE_OOPS_07		Spammer doesn't know how to use ratware properly (urlmask)
score		T_RATWARE_OOPS_07		6.1

#<a href=ptth:\\
rawbody		T_RATWARE_OOPS_08		/<a\shref=ptth:\\\\/i
describe	T_RATWARE_OOPS_08		Spammer doesn't know how to use ratware properly (ptth)
score		T_RATWARE_OOPS_08		1.1

#http://www..
rawbody		T_RATWARE_OOPS_09		/http:\/\/www\.\./i
describe	T_RATWARE_OOPS_09		Spammer doesn't know how to use ratware properly (..)
score		T_RATWARE_OOPS_09		1.1

rawbody		T_RATWARE_OOPS_10		/https?:\/\/.{0,5}TO_NAME\@/i
describe	T_RATWARE_OOPS_10		Spammer doesn't know how to use ratware properly (TO_NAME)
score		T_RATWARE_OOPS_10		6.1

rawbody		T_RATWARE_OOPS_11		/http:\/\/.{0,10}http\:\/\//i
describe	T_RATWARE_OOPS_11		Spammer doesn't know how to use ratware properly (http^2)
score		T_RATWARE_OOPS_11		0.416

#Dear {first_name}
rawbody		T_RATWARE_OOPS_12 		/Dear \{first_name\}/i
describe	T_RATWARE_OOPS_12		Ratware vomit.
score		T_RATWARE_OOPS_12		1.2

#Has a RANDOM_ or RND_ something
rawbody		T_RATWARE_OOPS_13		/(?:<|\%|!|\[|\{|\$)(?:RND|RANDOM)_?/
describe	T_RATWARE_OOPS_13		Has a possible RANDOM spammer goof in it.
score		T_RATWARE_OOPS_13		1.5

#Has a RANDOM_ or RND_ something
rawbody		T_RATWARE_OOPS_14		/(?:RND|RANDOM|RAND)_/
describe	T_RATWARE_OOPS_14		Has a possible RANDOM spammer goof in it.
score		T_RATWARE_OOPS_14		0.7

#Snags this X-Mailer: Microsoft Outlook, Build 10.0.<rnds[2605,2627,2616,3416,4024,4510]>
header		T_RATWARE_MS_MAIL_VERS		X-Mailer =~ /Microsoft Outlook.{0,30}<rnds\[.{1,30}\]>/i
describe	T_RATWARE_MS_MAIL_VERS		Multiple versions for MS Outlook goof.
score		T_RATWARE_MS_MAIL_VERS		6.1

#Snags this X-MimeOLE: Produced By Microsoft MimeOLE V6.00.<rnds[2462.0000,2479.0006,2505.0000,2600.0000,2800.1081,2800.1082,2800.1106,2800.1123,2800.1165]>
header		T_RATWARE_MS_MIME_VERS		X-MimeOLE =~ /Produced By Microsoft MimeOLE.{1,10}<rnds\[.{1,30}\]>/i
describe	T_RATWARE_MS_MIME_VERS		Multiple versions for MS MimeOLE goof.
score		T_RATWARE_MS_MIME_VERS		6.1

#Actually received some of these.  It's generally intentional when people post to lists :)
#$MUNGED
header		T_MUNGED_FROM			From =~ /\$?MUNGED\@/
describe	T_MUNGED_FROM			From address munged, literally.
score		T_MUNGED_FROM			2.3

header		T_MUNGED_TOCC			ToCc =~ /\$?MUNGED\@/
describe	T_MUNGED_TOCC			To/CC address munged, literally.
score		T_MUNGED_TOCC			2.3

#FIRSTNAME|LASTNAME|STRIPPEDUSER
header		T_RATWARE_USER_VAR_FROM		From =~ /\$(?:FIRSTNAME|LASTNAME|STRIPPEDUSER)/i
describe	T_RATWARE_USER_VAR_FROM		From includes ratware variable
score		T_RATWARE_USER_VAR_FROM		3.3

header		T_RATWARE_USER_VAR_TOCC		ToCc =~ /\$(?:FIRSTNAME|LASTNAME|STRIPPEDUSER)/i
describe	T_RATWARE_USER_VAR_TOCC		To/CC includes ratware variable
score		T_RATWARE_USER_VAR_TOCC		3.3

#Added 7/8/2003
#They took out the meta tags for frontpage, but forgot this one shows up from fp also.
rawbody 	__T_RATWARE_ERROR_03 		/\<\!\-\- saved from url\=\(0022\)http:\/\/internet\.e-mail \-\-\>/
describe 	__T_RATWARE_ERROR_03 		Frontpage was used to create the email.

meta 		T_RATWARE_ERROR_04 		!FRONTPAGE && __T_RATWARE_ERROR_03
describe 	T_RATWARE_ERROR_04 		Made with Frontpage, but forgot to remove all entries.
score 		T_RATWARE_ERROR_04 		0.816

rawbody		FVGT_rb_NEWPAGE1		/\<title\>New Page 1\<\/title\>/i
describe	FVGT_rb_NEWPAGE1		FVGT - default page title New Page 1
score		FVGT_rb_NEWPAGE1		0.619

body 		MY_FNAMEB 			/(f|l)name/i
describe 	MY_FNAMEB 			Fname rule for body.
score 		MY_FNAMEB 			0.652