# SARE Spammer URI Rule Set for SpamAssassin -- Archive
# Version:  01.01.00
# Created:  2004-09-13
# Modified: 2005-02-19
# Usage instructions and documentation are found in 70_sare_uri0.cf 
#@@# Revision History:  Full Revision History stored in 70_sare_uri.log
# License:  Artistic - see http://www.rulesemporium.com/license.txt
# Current   Maintainer: Bob Menschel - uri@rulesemporium.com
# Current   Home: http://www.rulesemporium.com/rules/70_sare_uri_arc.cf

# This file, 70_sare_uri_arc.cf, contains rules which have been archived from the primary
# 70_sare_uri*.cf files. 

########  ######################   ##################################################
#    Category:  URI links identified by spammer words
########  ######################   ##################################################

uri       SARE_URI_SUCCEZZ         /succezz/i
describe  SARE_URI_SUCCEZZ         link contains common spammer misspelling
score     SARE_URI_SUCCEZZ         1.111
#stype    SARE_URI_SUCCEZZ         spamp
#hist     SARE_URI_SUCCEZZ         Created by Bob Menschel May 20 2004
#counts   SARE_URI_SUCCEZZ         0s/0h of 175589 corpus (98978s/76611h RM) 02/14/05
#max      SARE_URI_SUCCEZZ         17s/0h of 61459 corpus (36652s/24807h RM) 08/24/04
#counts   SARE_URI_SUCCEZZ         0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#max      SARE_URI_SUCCEZZ         4s/0h of 19448 corpus (16863s/2585h MY) 09/06/04
#counts   SARE_URI_SUCCEZZ         0s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_URI_SUCCEZZ         0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_MRTG            /\bmrtg\b/i
describe  SARE_URI_MRTG            body contains link to known spammer
score     SARE_URI_MRTG            0.083
#hist     SARE_URI_MRTG            Created by Bob Menschel Apr 26 2004
#counts   SARE_URI_MRTG            3s/1h of 175589 corpus (98978s/76611h RM) 02/14/05
#max      SARE_URI_MRTG            10s/0h of 96856 corpus (75460s/21396h RM) 05/02/04
#counts   SARE_URI_MRTG            1s/1h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#max      SARE_URI_MRTG            2s/1h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_URI_MRTG            1s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_URI_MRTG            0s/0h of 682 corpus (290s/392h CRF) 02/16/05

########  ######################   ##################################################
#    Category:  URI links identified by technical attributes
########  ######################   ##################################################

uri       SARE_URI_AFF_DIG         /\baff(?:.?id)?\d+\./i
describe  SARE_URI_AFF_DIG         URI seems to refer to affiliate id
score     SARE_URI_AFF_DIG         0.389
#ham      SARE_URI_AFF_DIG         newage@newageinfo.com  (MMI/New Age Web Works)
#hist     SARE_URI_AFF_DIG         Created by Bob Menschel May 2 2004
#counts   SARE_URI_AFF_DIG         0s/3h of 175589 corpus (98978s/76611h RM) 02/14/05
#max      SARE_URI_AFF_DIG         86s/0h of 96854 corpus (75458s/21396h RM) 05/02/04
#counts   SARE_URI_AFF_DIG         0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#max      SARE_URI_AFF_DIG         17s/0h of 19448 corpus (16863s/2585h MY) 09/06/04
#counts   SARE_URI_AFF_DIG         0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#max      SARE_URI_AFF_DIG         4s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_URI_AFF_DIG         0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_HOUSE           /\?d=3Dhouse\&a=3D|\?d=house\&a=/i  # 'house' and something else, varies
describe  SARE_URI_HOUSE           Spammer signature in URL
score     SARE_URI_HOUSE           0.733
#hist     SARE_URI_HOUSE           LW_URI_HOUSE
#counts   SARE_URI_HOUSE           0s/0h of 66071 corpus (40111s/25960h RM) 09/11/04
#max      SARE_URI_HOUSE           9s/0h of 66947 corpus (41732s/25215h RM) 09/06/04
#counts   SARE_URI_HOUSE           0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_HOUSE           0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#max      SARE_URI_HOUSE           23s/0h of 19447 corpus (16862s/2585h MY) 09/06/04
#counts   SARE_URI_HOUSE           0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_IPPORT3333      m'http://\d+\.\d+\.\d+\.\d+:3333'
describe  SARE_URI_IPPORT3333      text URL points to spammer IP addr with port 3333
score     SARE_URI_IPPORT3333      3.333
#stype    SARE_URI_IPPORT3333      spamgg
#hist     SARE_URI_IPPORT3333      Created by Bob Menschel May 31 2004
#counts   SARE_URI_IPPORT3333      0s/0h of 95130 corpus (59680s/35450h RM) 01/31/05
#max      SARE_URI_IPPORT3333      10s/0h of 61442 corpus (36633s/24809h RM) 08/21/04
#counts   SARE_URI_IPPORT3333      0s/0h of 19448 corpus (16863s/2585h MY) 09/06/04
#counts   SARE_URI_IPPORT3333      0s/0h of 44759 corpus (16528s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_URI_IPPORT3333      0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_PORTD4          m'http://\d+\.\d+\.\d+\.\d+:(\d){4}'
describe  SARE_URI_PORTD4          text URL points to spammer IP addr with port d4
score     SARE_URI_PORTD4          0.473
#hist     SARE_URI_PORTD4          Created by Bob Menschel Aug 28 2004
#ham      SARE_URI_PORTD4          Directions on logging onto web site control panel
#counts   SARE_URI_PORTD4          253s/14h of 175589 corpus (98978s/76611h RM) 02/14/05
#counts   SARE_URI_PORTD4          15s/28h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_PORTD4          68s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_URI_ANUMA           0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_REFID2          /\?rid(?:\x10\x30\x30|=1000)/i
describe  SARE_URI_REFID2          Spammer signature in URL
score     SARE_URI_REFID2          0.783
#hist     SARE_URI_REFID2          LW_URI_RID
#counts   SARE_URI_REFID2          0s/0h of 70699 corpus (43133s/27566h RM) 10/02/04
#max      SARE_URI_REFID2          32s/0h of 66947 corpus (41732s/25215h RM) 09/06/04
#counts   SARE_URI_REFID2          0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_REFID2          0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#max      SARE_URI_REFID2          9s/0h of 19447 corpus (16862s/2585h MY) 09/06/04
#counts   SARE_URI_REFID2          0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_REFID3          /\?id\x10\x30\x34\x35/i
describe  SARE_URI_REFID3          Possible spammer sign in URL
score     SARE_URI_REFID3          0.555
#stype    SARE_URI_REFID3          spamp
#hist     SARE_URI_REFID3          LW_URI_ID
#counts   SARE_URI_REFID3          0s/0h of 66071 corpus (40111s/25960h RM) 09/11/04
#max      SARE_URI_REFID3          6s/0h of 66947 corpus (41732s/25215h RM) 09/06/04
#counts   SARE_URI_REFID3          0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_REFID3          0s/0h of 19447 corpus (16862s/2585h MY) 09/06/04
#counts   SARE_URI_REFID3          0s/0h of 682 corpus (290s/392h CRF) 02/16/05

rawbody   __SARE_URI_SQUARE1       m{(?!http://http:)http://[a-z0-9/?&=%_-]{0,10}http:}i
uri       __SARE_URI_SQUARE2       m{(?!http://http:)http://[a-z0-9/?&=%_-]{0,10}http:}i
meta      SARE_URI_SQUARE          __SARE_URI_SQUARE1 || __SARE_URI_SQUARE2
describe  SARE_URI_SQUARE          URI Square (http:// . . . http://)
score     SARE_URI_SQUARE          0.319
#ham      SARE_URI_SQUARE          See http://bugzilla.spamassassin.org/show_bug.cgi?id=3858
#hist     SARE_URI_SQUARE          Sep 19 2004: combined two rules into one meta; added exclusion
#counts   SARE_URI_SQUARE          0s/0h of 95130 corpus (59680s/35450h RM) 01/31/05
#max      SARE_URI_SQUARE          13s/1h of 70699 corpus (43133s/27566h RM) 10/02/04
#counts   SARE_URI_SQUARE          0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_SQUARE          1s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_URI_SQUARE          0s/0h of 682 corpus (290s/392h CRF) 02/16/05

########  ######################   ##################################################
#    Category:  URI links identified by web page/file names
########  ######################   ##################################################

uri       SARE_URI_DIG_LET_PIC     /\d\/[a-z]\.(?:gif|jpg)/
describe  SARE_URI_DIG_LET_PIC     Suspicious file name for graphic
score     SARE_URI_DIG_LET_PIC     0.264
#counts   SARE_URI_DIG_LET_PIC     316s/39h of 175589 corpus (98978s/76611h RM) 02/14/05
#counts   SARE_URI_DIG_LET_PIC     4s/1h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_DIG_LET_PIC     520s/3h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_URI_DIG_LET_PIC     0s/0h of 682 corpus (290s/392h CRF) 02/16/05

uri       SARE_URI_P8              /\?[Pp]=(?:80[89]\d|810\d|a2|ace|rio)/ 
describe  SARE_URI_P8              Spammer signature in URL
score     SARE_URI_P8              1.666
#hist     SARE_URI_P8              From Loren, generalization of SARE_URI_P8809X
#note     SARE_URI_P8              p=1 and p=b show up in ham as well as spam
#counts   SARE_URI_P8              0s/0h of 68469 corpus (41090s/27379h RM) 09/19/04
#max      SARE_URI_P8              315s/0h of 66947 corpus (41732s/25215h RM) 09/06/04
#counts   SARE_URI_P8              0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_URI_P8              0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#max      SARE_URI_P8              166s/0h of 19448 corpus (16863s/2585h MY) 09/18/04
#counts   SARE_URI_P8              0s/0h of 682 corpus (290s/392h CRF) 02/16/05

# EOF