Skip Navigation
SARE - SpamAssassin Rules Emporium

SARE Rules

If the ruleset name ends in "post25x", it contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set.

For auto-updates: RulesDuJour is a bash script intended to automatically download new versions of SpamAssassin rulesets as the authors release new versions.

7x_sare_redirect_*.cf
Description: Rules to detect commonly abused redirectors and uri obfuscation techniques.
Created by: Jesse Houwing /w thanks to Loren Wilton
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-07-16
Auto-update: Yes
RDJ usage: add this text snippet to your RDJ setup and add either "SARE_REDIRECT" (pre3.0.0) or "SARE_REDIRECT_POST300" (post3.0.0) to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf
http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
Note: Read the changelog in the set itself. This set contains two HAM rules. These are disabled by default, you'll find them at the bottom of the set. The ruleset "sare_redirect" is available in two versions. The version that ends in post3.0.0 contains features that are supported in SpamAssassin 3.0 or higher. If you are running an earlier version of SpamAssassin please use the pre3.0.0 version of that set. Do not use both rulesets!
Sample Results: To be done.
bigevil.cf
Description: BigEvil looks for known spammer URLs in the spam.
Created by: Chris S.
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-04-23
Auto-update: Yes
RDJ usage: add "BIGEVIL" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/bigevil.cf
Note: They only increase spamd memory by 1.5 meg!!! 1.5 meg!!!!!
Submission of new "candidates":
  • Lookup your "candidate" with our SURBL+ Checker.
  • If it isn't listed, you will get a submit button. Use it!
Sample Results: To be done.
evilnumbers.cf
Description: Addresses and phone numbers harvested from spam
Created by: Matt Yackley with contributions (too many to list!)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-07-07
Auto-update: Yes
RDJ usage: add "EVILNUMBERS" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/evilnumbers.cf
PGP/GPG signature: signed by Matt Yackley, key id 0x1129F0D3:
http://www.rulesemporium.com/rules/evilnumbers.cf.sig
Note: Other languages can be found here http://www.yackley.org/sa-rules/
Sample Results: To be done.
70_sare_bayes_poison_nxm.cf
Description: Bayes poison using lists of words with equal length
Created by: Jesse Houwing
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-04-24
Auto-update: Yes
RDJ usage: add "SARE_BAYES_POISON_NXM" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf
Note: N/A
Sample Results: included in file
coding_html.cf
Description: Previous version of HTML coding rule set (see the HTML rule set below for the newer version).
Created by: committee
License Type: Artistic/GPL dual
Status: Obsolete *
Last update: 2004-03-16
Auto-update: No. Discontinued. File will be deleted around June 20, 2004
Available at: http://www.rulesemporium.com/rules/coding_html.cf
Note: N/A
Sample Results: Masscheck results (2004-04-07)
70_sare_html?.cf
Description: 70_sare_html?.cf rulesets contain HTML coding rules that detect various spammer tricks applied through HTML coding within messages.
Created by: Contributions from many SARE members; published by Bob Menschel
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-06-11
Version: 01.02.06
Auto-update: Yes
RDJ usage: add this text snippet to your RDJ setup and add either one or more of "SARE_HTML0", "SARE_HTML1", "SARE_HTML2", "SARE_HTML3" or (for the whole set) "SARE_HTML" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_html0.cf
http://www.rulesemporium.com/rules/70_sare_html1.cf
http://www.rulesemporium.com/rules/70_sare_html2.cf
http://www.rulesemporium.com/rules/70_sare_html3.cf
http://www.rulesemporium.com/rules/70_sare_html.cf (the four files above combined into one file)
http://www.rulesemporium.com/rules/70_sare_html_eng.cf
PGP signatures: signed by Robert Menschel, key id 0x38AA1D47:
http://www.rulesemporium.com/rules/70_sare_html0.cf.sig
http://www.rulesemporium.com/rules/70_sare_html1.cf.sig
http://www.rulesemporium.com/rules/70_sare_html2.cf.sig
http://www.rulesemporium.com/rules/70_sare_html3.cf.sig
http://www.rulesemporium.com/rules/70_sare_html.cf.sig
http://www.rulesemporium.com/rules/70_sare_html_eng.cf.sig
Note: There are five ruleset files in this collection:
  • 70_sare_html0.cf contains those SARE_HTML_* rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four SARE_HTML_* rulesets for use.
  • Unlike 70_sare_html0.cf, the 70_sare_html1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores.
  • 70_sare_html2.cf contains only rules which test for various types of obfuscation within HTML coding. This subset of SARE_HTML_* rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead.
  • 70_sare_html3.cf contains a subset of SARE_HTML_* rules which either hit a significant amount of ham during SARE mass-check tests, or hit so few spam that we cannot be confident that our scores are fully appropriate. Systems which are very sensitive to false positives should probably NOT install this ruleset.
  • 70_sare_html_eng.cf contains a subset of SARE_HTML_* rules which we believe are useful for systems that expect ham only in the English language, and not in other languages. These rules are liable to FP against non-spam messages in languages that use accented characters.
The first four files are also available combined into one file as 70_sare_html.cf (no digit)
Sample Results: masscheck for html0 thru html3 (2004-06-12)
70_sare_header_abuse.cf
Description: Previous version of HTML coding rule set (see the HTML rule set below for the newer version).
Created by: committee
License Type: Artistic/GPL dual
Status: Obsolete *
Last update: 2004-03-16
Auto-update: No. Discontinued. File will be deleted around July 15, 2004
Available at: http://www.rulesemporium.com/rules/70_sare_header_abuse.cf
Note: N/A
Sample Results: Masscheck results (2004-04-10)
70_sare_specific.cf
Description: Rule set which flags specific spam and/or spam from specific spammers
Created by: Bob Menschel, with help from other SARE ninjas
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-28
Auto-update: Yes
RDJ usage: add "SARE_SPECIFIC" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_specific.cf
Note: Incorporates Chris Santerre's Mr. Wiggly rules
Sample Results: Masscheck results (2004-05-28)
70_sare_ratware.cf
Description: Needs description
Created by:  
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-03-16
Auto-update: Yes
RDJ usage: add "SARE_RATWARE" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_ratware.cf
Note: N/A
Sample Results: Masscheck results (2004-04-10)
70_sare_adult.cf
Description: SARE Adult rules are designed to catch spam with "Adult" material.
Created by: Matt Yackley with contributions (too many to list!)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-10
Version: 01.02.01
Auto-update: Yes
RDJ usage: add "SARE_ADULT" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_adult.cf
Note: N/A
Sample Results: Masscheck results (2004-04-09)
7x_sare_bml_learn_*.cf
Description: SARE "BML" rules are designed to catch "business, marketing and educational" spam.
Created by: Matt Yackley with contributions (too many to list!)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-10
Version: 01.02.01
Auto-update: Yes
RDJ usage: add "SARE_BML" (post25x) or "SARE_BML_PRE25X" (pre25x) to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf
http://www.rulesemporium.com/rules/71_sare_bml_pre25x.cf
Note: The ruleset "biz_market_learn" is available in two versions. The version that ends in post25x contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set. Do not use both rulesets!
Sample Results: Masscheck results for post25x (2004-05-08)
Masscheck results for pre25x (2004-04-13)
99_sare_fraud_*.cf
Description: SARE Fraud rules are designed to catch "Nigerian 419", "International Lotto", etc. type scams.
Created by: Matt Yackley (inspired by the work of Carl Friend, w/ submissions from Bob Menschel)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-01
Version: 01.03.02
Auto-update: Yes
RDJ usage: add "SARE_FRAUD" (post25x) or "SARE_FRAUD_PRE25X" (pre25x) to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf
http://www.rulesemporium.com/rules/99_sare_fraud_pre25x.cf
Note: The ruleset "fraud" is available in two versions. The version that ends in post25x contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set. Do not use both rulesets!
Sample Results: Masscheck results for post25x (2004-04-11)
Masscheck results for pre25x (2004-04-13)
70_sare_spoof.cf
Description: 70_sare_spoof.cf tries to detect common spoofing attempts by spammers. Many use a Message-ID of one provider but the message was never passed through the suggested system.
Created by: Fred Tarasevicius & Robert Menschel
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-19
Version: 01.06.01
Auto-update: Yes
RDJ usage: add "SARE_SPOOF" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_spoof.cf
Note: N/A
Sample Results: Masscheck results (2004-05-28)
70_sare_random.cf
Description: 70_sare_random.cf tries to detect common mis-fires on bulk mail software. Many signs are found like: %RND_NUMBER, etc.
Created by: Fred Tarasevicius with contributions (too many to list!)
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-17
Version: 01.30.01
Auto-update: Yes
RDJ usage: add "SARE_RANDOM" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_random.cf
Note: N/A
Sample Results: Masscheck results (2004-05-22)
70_sc_top200.cf
Description: 70_sc_top200.cf is the Top 200 spam relays condensed into as few rules as possible. If you use this, please see notes below.
Created by: Fred Tarasevicius
License Type: Artistic/GPL dual
Status: Active *
Last update: see note below
Version: 01.00.00
Auto-update: Yes - Mandatory
Available at: http://www.rulesemporium.com/rules/70_sc_top200.cf
Note: Do not use these if you use SpamCop.net's blacklist (Default with net enabled on 2.63). This ruleset is created from that data. You must use some type of update script or manually update these often. The Top 200 list is dynamically created once a day and these rules are generated from that data. The rules are automatically uploaded to this server at random times monday-friday.
Sample Results: Dynamic data does not produce good results, this data is the top 200 and as long as you update, it should work very good for you.
70_sare_oem.cf
Description: 70_sare_oem.cf tries to detect people selling OEM software to consumers.
Created by: Fred Tarasevicius w/ Additions by Jesse Houwing
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-06-10
Version: 01.05.03
Auto-update: Yes
RDJ usage: add "SARE_OEM" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_oem.cf
Note: N/A
Sample Results: Masscheck results (2004-04-16)
70_sare_genlsubj?.cf
Description: 70_sare_genlsubj?.cf rulesets contain Subject header rules that are not found in other SARE rulesets.
Created by: Contributions from many SARE members; published by Bob Menschel
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-06-10
Version: 01.01.02
Auto-update: Yes
RDJ usage: add this text snippet to your RDJ setup and add either one or more of "SARE_GENLSUBJ0", "SARE_GENLSUBJ1", "SARE_GENLSUBJ2", "SARE_GENLSUBJ3" or (for the whole set) "SARE_GENLSUBJ" to "TRUSTED_RULESETS" (more info)
Available at: http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj.cf
PGP signatures: signed by Robert Menschel, key id 0x38AA1D47:
Note: genlsubj 0/1 signed by Matt Yackley, key id 0x1129F0D3:
http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf.sig
http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf.sig
http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf.sig
http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf.sig
http://www.rulesemporium.com/rules/70_sare_genlsubj.cf.sig
Note: There are four ruleset files in this collection:
  • 70_sare_genlsubj0.cf contains those SARE_SUB_* rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four SARE_SUB_* rulesets for use. However, systems with specific characteristics should pay attention to the topics included.
  • Unlike 70_sare_genlsubj0.cf, the 70_sare_genlsubj1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores.
  • 70_sare_genlsubj2.cf contains only rules which test for obfuscation within subject headers. This subset of SARE_SUB_*_OB* rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead.
  • 70_sare_genlsubj3.cf contains a subset of SARE_SUB_* rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should probably NOT install this ruleset.
70_sare_genlsubj.cf (with no digit) contains all four files combined together.
Sample Results: masscheck for file 0 through file 3 (2004-06-12)
70_sare_highrisk.cf
Description: 70_sare_highrisk.cf is developed because there are spam signs which readily detect spam, and which in our testing do not flag significant ham, but theoretically there is no reason for such rules to not flag ham. We therefore consider these to be "high risk" rules, useful for many systems at this time, but not suitable for systems that must be very conservative and cautious in their spam detection.
Created by: Robert Menschel
License Type: Artistic/GPL dual
Status: Active *
Last update: 2004-05-28
Version: 01.00.00
Auto-update: Yes.
Available at: http://www.rulesemporium.com/rules/70_sare_highrisk.cf
Note: Because of the risk factor, if you use these rules, and if you use an auto-update script, you should include this script in that auto-update. This will automate any decrease in score or rule elimination required by the discovery of new hams that match the rule. As of May 28 2004, there is one rule in this rule set, moved here from the spoof rule set.
Sample Results: Masscheck results (2004-05-25)