## tkooda : 2004-08-11 : sample sarulesupdate rules file ## ## - these exit0.us rules may not be updated very often? ## - just uncomment the rules you'd like to use ## - don't use the same rule filename (col1) more than once ## #70_sare_adult.cf http://www.exit0.us/rules/70_sare_adult.cf #70_sare_bayes_poison_nxm.cf http://www.exit0.us/rules/70_sare_bayes_poison_nxm.cf #70_sare_genlsubj.cf http://www.exit0.us/rules/70_sare_genlsubj.cf #70_sare_genlsubj0.cf http://www.exit0.us/rules/70_sare_genlsubj0.cf #70_sare_genlsubj1.cf http://www.exit0.us/rules/70_sare_genlsubj1.cf #70_sare_genlsubj2.cf http://www.exit0.us/rules/70_sare_genlsubj2.cf #70_sare_genlsubj3.cf http://www.exit0.us/rules/70_sare_genlsubj3.cf #70_sare_header.cf http://www.exit0.us/rules/70_sare_header.cf #70_sare_header0.cf http://www.exit0.us/rules/70_sare_header0.cf #70_sare_header1.cf http://www.exit0.us/rules/70_sare_header1.cf #70_sare_header2.cf http://www.exit0.us/rules/70_sare_header2.cf #70_sare_header3.cf http://www.exit0.us/rules/70_sare_header3.cf #70_sare_header_abuse.cf http://www.exit0.us/rules/70_sare_header_abuse.cf #70_sare_highrisk.cf http://www.exit0.us/rules/70_sare_highrisk.cf #70_sare_html.cf http://www.exit0.us/rules/70_sare_html.cf #70_sare_html0.cf http://www.exit0.us/rules/70_sare_html0.cf #70_sare_html1.cf http://www.exit0.us/rules/70_sare_html1.cf #70_sare_html2.cf http://www.exit0.us/rules/70_sare_html2.cf #70_sare_html3.cf http://www.exit0.us/rules/70_sare_html3.cf #70_sare_html_eng.cf http://www.exit0.us/rules/70_sare_html_eng.cf #70_sare_oem.cf http://www.exit0.us/rules/70_sare_oem.cf #70_sare_random.cf http://www.exit0.us/rules/70_sare_random.cf #70_sare_ratware.cf http://www.exit0.us/rules/70_sare_ratware.cf #70_sare_specific.cf http://www.exit0.us/rules/70_sare_specific.cf #70_sare_spoof.cf http://www.exit0.us/rules/70_sare_spoof.cf #70_sc_top200.cf http://www.exit0.us/rules/70_sc_top200.cf #71_sare_bml_pre25x.cf http://www.exit0.us/rules/71_sare_bml_pre25x.cf #71_sare_redirect_pre3.0.0.cf http://www.exit0.us/rules/71_sare_redirect_pre3.0.0.cf #72_sare_bml_post25x.cf http://www.exit0.us/rules/72_sare_bml_post25x.cf #72_sare_redirect_post3.0.0.cf http://www.exit0.us/rules/72_sare_redirect_post3.0.0.cf #88_FVGT_Bayes_Poison.cf http://www.exit0.us/rules/88_FVGT_Bayes_Poison.cf #88_FVGT_body.cf http://www.exit0.us/rules/88_FVGT_body.cf #88_FVGT_headers.cf http://www.exit0.us/rules/88_FVGT_headers.cf #88_FVGT_rawbody.cf http://www.exit0.us/rules/88_FVGT_rawbody.cf #88_FVGT_subject.cf http://www.exit0.us/rules/88_FVGT_subject.cf #88_FVGT_uri.cf http://www.exit0.us/rules/88_FVGT_uri.cf #98_text_de_evilnumbers.cf http://www.exit0.us/rules/98_text_de_evilnumbers.cf #98_text_es_evilnumbers.cf http://www.exit0.us/rules/98_text_es_evilnumbers.cf #98_text_fr_evilnumbers.cf http://www.exit0.us/rules/98_text_fr_evilnumbers.cf #98_text_it_evilnumbers.cf http://www.exit0.us/rules/98_text_it_evilnumbers.cf #98_text_nl_evilnumbers.cf http://www.exit0.us/rules/98_text_nl_evilnumbers.cf #99_FVGT_DomainDigits.cf http://www.exit0.us/rules/99_FVGT_DomainDigits.cf #99_FVGT_Spoof.cf http://www.exit0.us/rules/99_FVGT_Spoof.cf #99_FVGT_Tripwire.cf http://www.exit0.us/rules/99_FVGT_Tripwire.cf #99_FVGT_meta.cf http://www.exit0.us/rules/99_FVGT_meta.cf #99_OBFU_drugs.cf http://www.exit0.us/rules/99_OBFU_drugs.cf #99_SARE_Spoof.cf http://www.exit0.us/rules/99_SARE_Spoof.cf #99_sare_adult.cf http://www.exit0.us/rules/99_sare_adult.cf #99_sare_biz_market_learn_post25x.cf http://www.exit0.us/rules/99_sare_biz_market_learn_post25x.cf #99_sare_biz_market_learn_pre25x.cf http://www.exit0.us/rules/99_sare_biz_market_learn_pre25x.cf #99_sare_fraud_post25x.cf http://www.exit0.us/rules/99_sare_fraud_post25x.cf #99_sare_fraud_pre25x.cf http://www.exit0.us/rules/99_sare_fraud_pre25x.cf #99_sare_random.cf http://www.exit0.us/rules/99_sare_random.cf #99_sare_spoof.cf http://www.exit0.us/rules/99_sare_spoof.cf #OBFU_Bayespoison.cf http://www.exit0.us/rules/OBFU_Bayespoison.cf #Obfu1.cf http://www.exit0.us/rules/Obfu1.cf #antidrug.cf http://www.exit0.us/rules/antidrug.cf #backhair.cf http://www.exit0.us/rules/backhair.cf #bigevil.cf http://www.exit0.us/rules/bigevil.cf #bigevil2.cf http://www.exit0.us/rules/bigevil2.cf #bogus-virus-warnings.cf http://www.exit0.us/rules/bogus-virus-warnings.cf #chickenpox.cf http://www.exit0.us/rules/chickenpox.cf #coding_html.cf http://www.exit0.us/rules/coding_html.cf #evilnumbers.cf http://www.exit0.us/rules/evilnumbers.cf #header_abuse.cf http://www.exit0.us/rules/header_abuse.cf #mangled.cf http://www.exit0.us/rules/mangled.cf #meta_addition.cf http://www.exit0.us/rules/meta_addition.cf #mr_wiggly.cf http://www.exit0.us/rules/mr_wiggly.cf #popcorn_new.cf http://www.exit0.us/rules/popcorn_new.cf #random.current.cf http://www.exit0.us/rules/random.current.cf #ratware.cf http://www.exit0.us/rules/ratware.cf #sc_top200.cf http://www.exit0.us/rules/sc_top200.cf #useless.cf http://www.exit0.us/rules/useless.cf #vbounce.cf http://www.exit0.us/rules/vbounce.cf #weeds.cf http://www.exit0.us/rules/weeds.cf #weeds_2.cf http://www.exit0.us/rules/weeds_2.cf ## ## - warning: rulesemporium.com currently has a limit on the number of downloads allowed per day ## #70_sare_adult.cf http://www.rulesemporium.com/rules/70_sare_adult.cf # SARE Adult rules are designed to catch spam with "Adult" material. #70_sare_bayes_poison_nxm.cf http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf # Bayes poison using lists of words with equal length # #70_sare_genlsubj.cf http://www.rulesemporium.com/rules/70_sare_genlsubj.cf # 70_sare_genlsubj.cf (with no digit or suffix) contains all six files combined together. #70_sare_genlsubj0.cf http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf # 70_sare_genlsubj0.cf contains those SARE_SUB_* rules which in all mass-check testing hit ONLY spam. More, as of version 01.02.00, only those rules that hit "signficant" spam (at least 10 spam across our mass-check runs) are included. This is the safest and most efficient of the six SARE_SUB_* rulesets for use. However, systems with specific characteristics should pay attention to the topics included. #70_sare_genlsubj1.cf http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf # Unlike 70_sare_genlsubj0.cf, the 70_sare_genlsubj1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores. #70_sare_genlsubj2.cf http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf # 70_sare_genlsubj2.cf contains only rules which test for obfuscation within subject headers. These rules have been examined to avoid false positives, to hit only on their obfuscated targets. This file is therefore considered "safe." However, this subset of SARE_SUB_*_OB* rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead. #70_sare_genlsubj3.cf http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf # 70_sare_genlsubj3.cf contains a subset of SARE_SUB_* rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should NOT install this ruleset. However, these rules are included in this file because SARE members find them useful. Therefore aggressively anti-spam systems that do not need to be conservative in their spam analysis may wish to include this file. #70_sare_genlsubj_arc.cf http://www.rulesemporium.com/rules/70_sare_genlsubj_arc.cf # 70_sare_genlsubj_arc.cf contains a subset of SARE_SUB_* rules which used to hit spam, but which during recent mass-check runs have not hit any emails at all. SARE will retest these regularly, and move those that again begin to hit spam into the other files within this set. Systems with plenty of horsepower may wish to include this file, to gain benefits faster if/when these rules begin to hit spam again. Systems that are the least bit sensitive to resource usage should avoid tihs file. #70_sare_genlsubj_eng.cf http://www.rulesemporium.com/rules/70_sare_genlsubj_eng.cf # 70_sare_genlsubj_eng.cf contains a subset of SARE_SUB_* rules which seem to be language-dependent, specifically dependent upon the English languages. Systems that receive almost exclusively English emails can benefit greatly from this file. However, if run against emails written in a different language, these rules might be more or less likely to hit spam and/or ham. SARE doesn't have enough non-English spam to determine what might happen. Therefore, if your inbound emails contain significant non-english messages, you should avoid this file. # #70_sare_header.cf http://www.rulesemporium.com/rules/70_sare_header.cf # 70_sare_header.cf (with no digit) contains all four files combined together. #70_sare_header0.cf http://www.rulesemporium.com/rules/70_sare_header0.cf # 70_sare_header0.cf contains those header rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four header rulesets for use. #70_sare_header1.cf http://www.rulesemporium.com/rules/70_sare_header1.cf # Unlike 70_sare_header0.cf, the 70_sare_header1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores. #70_sare_header2.cf http://www.rulesemporium.com/rules/70_sare_header2.cf # 70_sare_header2.cf contains only rules which do not currently hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead. #70_sare_header3.cf http://www.rulesemporium.com/rules/70_sare_header3.cf # 70_sare_header3.cf contains a subset of header rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should probably NOT install this ruleset. # #70_sare_highrisk.cf http://www.rulesemporium.com/rules/70_sare_highrisk.cf # 70_sare_highrisk.cf is developed because there are spam signs which readily detect spam, and which in our testing do not flag significant ham, but theoretically there is no reason for such rules to not flag ham. We therefore consider these to be "high risk" rules, useful for many systems at this time, but not suitable for systems that must be very conservative and cautious in their spam detection. # #70_sare_html.cf http://www.rulesemporium.com/rules/70_sare_html.cf # The first four files are also available combined into one file as 70_sare_html.cf (no digit) #70_sare_html0.cf http://www.rulesemporium.com/rules/70_sare_html0.cf # 70_sare_html0.cf contains those SARE_HTML_* rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four SARE_HTML_* rulesets for use. #70_sare_html1.cf http://www.rulesemporium.com/rules/70_sare_html1.cf # Unlike 70_sare_html0.cf, the 70_sare_html1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores. #70_sare_html2.cf http://www.rulesemporium.com/rules/70_sare_html2.cf # 70_sare_html2.cf contains only rules which test for various types of obfuscation within HTML coding. This subset of SARE_HTML_* rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead. #70_sare_html3.cf http://www.rulesemporium.com/rules/70_sare_html3.cf # 70_sare_html3.cf contains a subset of SARE_HTML_* rules which either hit a significant amount of ham during SARE mass-check tests, or hit so few spam that we cannot be confident that our scores are fully appropriate. Systems which are very sensitive to false positives should probably NOT install this ruleset. #70_sare_html_eng.cf http://www.rulesemporium.com/rules/70_sare_html_eng.cf # 70_sare_html_eng.cf contains a subset of SARE_HTML_* rules which we believe are useful for systems that expect ham only in the English language, and not in other languages. These rules are liable to FP against non-spam messages in languages that use accented characters. # #70_sare_oem.cf http://www.rulesemporium.com/rules/70_sare_oem.cf # 70_sare_oem.cf tries to detect people selling OEM software to consumers. #70_sare_random.cf http://www.rulesemporium.com/rules/70_sare_random.cf # 70_sare_random.cf tries to detect common mis-fires on bulk mail software. Many signs are found like: %RND_NUMBER, etc. #70_sare_ratware.cf http://www.rulesemporium.com/rules/70_sare_ratware.cf #70_sare_specific.cf http://www.rulesemporium.com/rules/70_sare_specific.cf # Rule set which flags specific spam and/or spam from specific spammers #70_sare_spoof.cf http://www.rulesemporium.com/rules/70_sare_spoof.cf # 70_sare_spoof.cf tries to detect common spoofing attempts by spammers. Many use a Message-ID of one provider but the message was never passed through the suggested system. #70_sare_unsub.cf http://www.rulesemporium.com/rules/70_sare_unsub.cf # 70_sare_unsub.cf looks for common unsubscribe phrases and codes in spam. #70_sc_top200.cf http://www.rulesemporium.com/rules/70_sc_top200.cf # 70_sc_top200.cf is the Top 200 spam relays condensed into as few rules as possible. If you use this, please see notes below. #71_sare_bml_pre25x.cf http://www.rulesemporium.com/rules/71_sare_bml_pre25x.cf #71_sare_redirect_pre3.0.0.cf http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf #72_sare_bml_post25x.cf http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf #72_sare_redirect_post3.0.0.cf http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf #99_sare_fraud_post25x.cf http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf #99_sare_fraud_pre25x.cf http://www.rulesemporium.com/rules/99_sare_fraud_pre25x.cf #bigevil.cf http://www.rulesemporium.com/rules/bigevil.cf # BigEvil looks for known spammer URLs in the spam.But is now TOO HUGE. Please use www.surbl.org! #evilnumbers.cf http://www.rulesemporium.com/rules/evilnumbers.cf # Addresses and phone numbers harvested from spam ## ## - warning, these sa-blacklists can be quite large ## #sa-blacklist.current http://www.stearns.org/sa-blacklist/sa-blacklist.current # William Stearn's sa-blacklist #sa-blacklist.current.uri.cf http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf # William Stearn's URI blacklist