# lynx -dump -force_html http://www.darkmere.gen.nz/2002/0628.html
#
# Sample Spamassassin Rules
#
# * Please check you version of Spamassasin to make sure these rules
# (or equivilents) havn't been recently added before you use them.
# * You might want to put your local sitename in front of the rule
# name to make sure they don't conflict with the spamassassin's main
# rules ( ie BADCREDIT1 becomes MYISP_BADCREDIT1 )
# * Use at your own risk. Some of these rules are not well tested and
# may cause incorrect results, high load or even break spamassassin.
# * If you find a rule that has problems or is in the main
# spamassassin release please send me a note.
#
# Sample rules to detect Spam
#
body BADCREDIT1 /bad credit/i
describe BADCREDIT1 talks about bad credit
score BADCREDIT1 1.0
body BETTERCREDIT1 /better credit/i
describe BETTERCREDIT1 talks about better credit
score BETTERCREDIT1 1.0
body CANHELPYOU1 /can help you/i
describe CANHELPYOU1 somewhere somehow something or someone can help you
score CANHELPYOU1 1.0
body MISSEDOPPUR1 /missed opportun/i
describe MISSEDOPPUR1 talks about one or more opportunities gone astray
score MISSEDOPPUR1 1.0
body MSGSENT1 /This message was sent/i
describe MSGSENT1 identifies how you are described in their spam list
score MSGSENT1 1.0
body BENEFITS1 /Get the benefits/i
describe BENEFITS1 why this spam is beneficial
score BENEFITS1 1.0
body MERICANS1 /million American/i
describe MERICANS1 xx million Americans are totally unintersted in useless statistics
score MERICANS1 1.0
body VISIT_OUR_SITE /\b(?visit|enter)\s+(?:my|our|the|this)\s+(?:web\s*)?site/i
describe VISIT_OUR_SITE Wants you to visit a web site
score VISIT_OUR_SITE 2.5
body SEARCH_ENGINE_PROMO /\b(?:(?:submitt?|list)(?:ed|ing|s)?|place(?:d|ment))\s+.{0,15}\b(?:in|to)\b.{0,15}\b(?:(?:top|best|major|largest|biggest).{0,15}\b)?(?:search(?:ing)?\s*(?:engine|site)|director(?:y|ies))/is
describe SEARCH_ENGINE_PROMO Discusses search engine listings
score SEARCH_ENGINE_PROMO 2.6
test SEARCH_ENGINE_PROMO ok evaluated for FREE for its keyword placement in the top twenty major search engines
body OFFSHORE_SCAM /offshore .{0,20}(creditcards|companies|accounts?|financial|website)/i
describe OFFSHORE_SCAM Off Shore Scams
score OFFSHORE_SCAM 2.0
body VACATION_SCAM /(free|mini-?|dream).{0,10}vacation|vacation(offer|promotion|package)/i
describe VACATION_SCAM Vacation Offers
score VACATION_SCAM 2.0
body FREE_STUFF /free (cellphone|preview|debt|money|bargain|access|website|dvd|leads|sample|signup|hosting|tickets|offer|flag|quote|investment|pics)/i
describe FREE_STUFF Stuff for Free
score FREE_STUFF 2.0
body CREDIT_CARD /consolidate.{1,15}debt|creditcard.{1,10}(offer|debt|bankruptcy|decision)|accept.{1,10}creditcards|creditorscalling|unsecured.{0,20}(mastercard|visa|discover|credit|loans|debt)|all.{1,9} credit bureaus?|(bad|no|eliminate|(re)establish|damag).{0,15}(credit|debt)|debt (consolidation|elimination)/i
describe CREDIT_CARD Credit Card, Credit, Debt Relief
score CREDIT_CARD 2.0
header RCVD_IN_NJABL eval:check_rbl('relay', 'dnsbl.njabl.org')
describe RCVD_IN_NJABL Received via a relay in NJABL
score RCVD_IN_NJABL 3.0
header RCVD_IN_XBL eval:check_rbl('relay', 'xbl.selwerd.cx')
describe RCVD_IN_XBL Received unconfirmed spam via eXtreme Block List
score RCVD_IN_XBL 0.5
body DRIVERS_LICENSE /international drivers?\'?s? license/i
describe DRIVERS_LICENSE International Drivers License scam
score DRIVES_LICENSE 3.0
body SPONSORED1 /brought to you by/i
describe SPONSORED1 spam with embedded commercials, SHEESH
score SPONSORED1 1.0
body REMOVE1 /REMOVE/
describe SPECIAL1 REMOVE in caps
score SPECIAL1 1.0
body SPECIAL1 /special offer/i
describe SPECIAL1 special offer, OH GOODY!
score SPECIAL1 1.0
body DLB1 /dlbdirect/i
describe DLB1 dlbDirect does third party mailing
score DLB1 1.0
body NOTRSPBL1 /not responsible/i
describe NOTRSPBL1 irresponsible spammer
score NOTRSPBL1 1.0
body NOWOG1 /no (?:guarantees|warranties)/i
describe NOWOG1 unwarranted email
score NOWOG1 1.0
body PSADV1 /(?:services|products) advertised/i
describe PSADV1 disclaims products or services they are spamming about
score PSADV1 1.0
header FROM_BADWORDS From =~/optin|casino|trusted|sex|free|xxx|pussy|foryou/
describe FROM_BADWORDS From domain contains bad words
test FROM_BADWORD ok sales@optinmail.net
score FROM_BADWORD 1.0
# Korean UCE Subject: lines are usually 8-bit, but are occasionally encoded
# with quoted-printable or base64.
#
# \xbc\xba\xc0\xce means "adult"
# \xb1\xa4\xb0\xed means "advertisement"
# \xc1\xa4\xba\xb8 means "information"
# \xc8\xab\xba\xb8 means "publicity"
#
# Each two byte sequence is one Korean letter; the spaces and periods are
# sometimes used to obscure the words. \xb1\xa4\xb0\xed is the most common
# tag and is sometimes very obscured so we look harder.
#
header KOREAN_UCE_SUBJECT Subject =~ /[({[<][. ]*(?:\xbc\xba[.]*\xc0\xce[. ]*)?(?:\xb1\xa4(?:[. ]*|[\x00-\x7f]{0,3})\xb0\xed|\xc1\xa4[.]*\xba\xb8|\xc8\xab[. ]*\xba\xb8)[. ]*[)}\]>]/
describe KOREAN_UCE_SUBJECT Subject: contains Korean unsolicited email tag
body PROMOTE_YOUR_BUSINESS /(?:(?:advert|public)i[sz]e|promote|increase|grow|expand|boost)\s+.{0,15}\b(?:(?:web)?site|business|offer(?:ing)?|(?:down|power)line|exposure)/i
describe PROMOTE_YOUR_BUSINESS Wants to help promote your business
test PROMOTE_YOUR_BUSINESS ok publicize your website
test PROMOTE_YOUR_BUSINESS ok grow your business
test PROMOTE_YOUR_BUSINESS ok Increase your Business Sales!
test PROMOTE_YOUR_BUSINESS ok Fwd:Promote any business
test PROMOTE_YOUR_BUSINESS ok boost your Internet exposure
score PROMOTE_YOUR_BUSINESS 3.0
header RCVD_IN_RBL_PLUS eval:check_rbl('rblplus','rbl-plus.mail-abuse.org.')
describe RCVD_IN_RB_RBL_PLUS Received via RBLed relay, see http://www.mail-abuse.org/rbl/
score RCVD_IN_RBL_PLUS 0.01
header X_RBL eval:check_rbl_results_for('rblplus', '127.1.0.1')
describe X_RBL Received via RBLed relay, see http://www.mail-abuse.org/rbl/
score X_RBL 4
header X_DUL eval:check_rbl_results_for('rblplus', '127.1.0.2')
describe X_DUL Received via DUL, see http://www.mail-abuse.org/dul/
score X_DUL 0
header X_RBL_DUL eval:check_rbl_results_for('rblplus', '127.1.0.3')
describe X_RBL_DUL Received via RBL and DUL, see http://www.mail-abuse.org/rbl/
score X_RBL_DUL 4
header X_RSS eval:check_rbl_results_for('rblplus', '127.1.0.4')
describe X_RSS Received via RSS, see http://www.mail-abuse.org/rss/
score X_RSS 2
header X_RBL_RSS eval:check_rbl_results_for('rblplus', '127.1.0.5')
describe X_RBL_RSS Received via RBL and RSS, see http://www.mail-abuse.org/rbl/
score X_RBL_RSS 5
header X_RSS_DUL eval:check_rbl_results_for('rblplus', '127.1.0.6')
describe X_RSS_DUL Received via RSS and DUL, see http://www.mail-abuse.org/rss/
score X_RSS_DUL 2
header X_RBL_RSS_DUL eval:check_rbl_results_for('rblplus', '127.1.0.7')
describe X_RBL_RSS_DUL Received via RBL+DUL+RSS ip, see http://www.mail-abuse.org/rbl/
score X_RBL_RSS_DUL 5
#
# Samples rules to detect non-Spam
#
header SUBJECT_HAS_DATE Subject =~ /1?\d[-\/][1-3]?\d[-\/](20)?02/
describe SUBJECT_HAS_DATE Subject contains a date
score SUBJECT_HAS_DATE -4.0
header FROM_NEWS_LIST From =~ /(\@news|\@list)/i
describe FROM_NEWS_LIST From: has a news or list hostname in FQDN
score FROM_NEWS_LIST -2.0
header FROM_US_PHONE From =~ /^[2-9]\d{9}\@/
describe FROM_US_PHONE From: looks like US Telephone Number
score FROM_US_PHONE -5.0
header SUBJECT_IS_NEWS Subject =~ /(in review|news|list)/i
describe SUBJECT_IS_NEWS Subject contains news newsletter list daily, weekly or monthly
score SUBJECT_IS_NEWS -4.0
header SUBJECT_FREQ Subject =~ /(monday|daily|week|monthly)/i
describe SUBJECT_FREQ Subject contains monday daily week or monthly
score SUBJECT_FREQ -2.5
header SUBJECT_MONTH Subject =~ /(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)/i
describe SUBJECT_MONTH Subject has month in it probable newsletter
score SUBJECT_MONTH -3.5
header Q_FOR_SELLER Subject =~ /Question for seller/
describe Q_FOR_SELLER Subject is eBay Question for seller
score Q_FOR_SELLER -4.0
header FROM_EGROUPS X-eGroups-Return =~ /^sentto-.*\@returns.groups.yahoo.com$/
describe FROM_EGROUPS Appears to be from yahoo groups
test FROM_EGROUPS ok sentto-2537484-52529-1020428367-Sxm=olswang.com@returns.groups.yahoo.com
test FROM_EGROUPS fail spammer@returns.groups.yahoo.com
score FROM_EGROUPS -3
header FWD_MSG Subject =~ /\[?Fwd?:?\s*/
describe FWD_MSG Forwarded email
score FWD_MSG -1.0
body HOTMAIL_FOOTER1 /Send and receive Hotmail on your mobile device: /
describe HOTMAIL_FOOTER1 Common footer for Hotmail
score HOTMAIL_FOOTER1 -1.0
body HOTMAIL_FOOTER2 /Get your FREE download of MSN Explorer at /
describe HOTMAIL_FOOTER2 Common footer for Hotmail
score HOTMAIL_FOOTER2 -1.0
body HOTMAIL_FOOTER3 /Get Your Private, Free E-mail from MSN Hotmail at http:\/\/www\.hotmail\.com\./
describe HOTMAIL_FOOTER3 Common footer for Hotmail
score HOTMAIL_FOOTER3 -1.0
body HOTMAIL_FOOTER4 /Join the world's largest e-mail service with MSN Hotmail\./
describe HOTMAIL_FOOTER4 Common footer for Hotmail
score HOTMAIL_FOOTER4 -1.0
body HOTMAIL_FOOTER5 /Chat with friends online, try MSN Messenger: /
describe HOTMAIL_FOOTER5 Common footer for Hotmail
score HOTMAIL_FOOTER5 -1.0
body MSN_FOOTER1 /MSN Photos is the easiest way to share and print your photos: /
describe MSN_FOOTER1 Common footer for MSN
score MSN_FOOTER1 -1.0
body MSN_FOOTER2 /Remove my e-mail address from Gaming Zone /
describe MSN_FOOTER2 Common footer for MSN
score MSN_FOOTER2 -1.0
body MAILBITS_EMAIL /This is a free service provided by MailBits\.com\./
describe MAILBITS_EMAIL recommended page from MailBits.com
score MAILBITS_EMAIL -1.0
# NOTE you will need to customize this one with local ISps in your area.
header LOCAL_ISP From =~ /@(execulink\.com|sympatico\.ca|golden\.net|shaw\.ca)/
describe LOCAL_ISP From a local ISP
score LOCAL_ISP -1.0
body GROUPS_YAHOO_1 /Your use of Yahoo! Groups is subject to the/
describe GROUPS_YAHOO_1 Modified Yahoo! Groups test
score GROUPS_YAHOO_1 -1.0
body GROUPS_MSN /http:\/\/communities\.msn\.com\/contact/
describe GROUPS_MSN MSN Communities
score GROUPS_MSN -1.0