# SpamAssassin rules file: URI tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
###########################################################################

require_version @@VERSION@@

uri NUMERIC_HTTP_ADDR		/^https?\:\/\/\d{7,}/is
describe NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL

uri LONG_NUMERIC_HTTP_ADDR	/^https?\:\/\/000\d+/is
describe LONG_NUMERIC_HTTP_ADDR	Uses a long numeric IP address in URL

uri NORMAL_HTTP_TO_IP		/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+/i
describe NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL
 	
uri HTTP_USERNAME_USED		/^https?\:\/\/[^\s\/]+\@/is
describe HTTP_USERNAME_USED	Uses a username in a URL

uri HTTP_WITH_EMAIL_IN_URL	/^https?\:\/\/\S+=[-_\+a-z0-9\.]+\@[-_\+a-z0-9\.]+\.[-_\+a-z0-9]{2,3}(?:\&|\s)/
describe HTTP_WITH_EMAIL_IN_URL	'remove' URL contains an email address

# Theo sez:
# Have gotten FPs off this, and whitespace can't be in the host, so...
# %    Visit my homepage: http://i.like.foo.com %
uri HTTP_ESCAPED_HOST		/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST	Uses %-escapes inside a URL's hostname

# note: do not match \r or \n
uri HTTP_CTRL_CHARS_HOST	/^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]/
describe HTTP_CTRL_CHARS_HOST	Uses control sequences inside a URL's hostname

# look for URI with escaped 0-9, A-Z, or a-z characters (other safe
# characters are sometimes unnecessarily escaped in nonspam; requiring
# "http" or "https" reduces false positives)
uri HTTP_EXCESSIVE_ESCAPES	/^https?:\/\/\S*%(?:3[0-9]|[46][1-9a-f]|[57][\da])/i
describe HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL

# thx to vince.delvecchio@analog.com for the legwork on the negative
# lookbehinds here; saved a lot of work for us (bug 1035).
uri PORN_4			/^https?:\/\/[\w\.-]*(?:xxx|(?<!es)(?<!dle|sus)sex|anal(?!og|y[sz])|slut|pussy|cum|nympho|suck|porn|hard-?core|taboo|whore|voyeur|lesbian|gurlpages|naughty|lolita|(?<!thir|four|eigh|nine)(?<!fif|six)(?<!seven)teen|schoolgirl|kooloffer|erotic|lust(?!(?<=illust)(?:rat|rious)|(?<=clust)er)|pant(?:y|ies))[\w-]*\./
describe PORN_4			URL uses words and phrases which indicate porn (4)

# some frequently-advertised URLs
uri WWW_CLIK4YOU_COM		/clik4you\.com/i
describe WWW_CLIK4YOU_COM	Frequent SPAM content

uri UNSUB_SCRIPT		/^https?:\/\/.*?cgi.*?(?:unsubscribe|remove)/i
describe UNSUB_SCRIPT		URL of CGI script called "unsubscribe" or "remove"

uri UNSUB_PAGE			/^https?:\/\/.*?(?!cgi).*?unsubscribe/i
describe UNSUB_PAGE		URL of page called "unsubscribe"
 	
uri REMOVE_PAGE			/^https?:\/\/[^\/]+\/.*?remove/
describe REMOVE_PAGE		URL of page called "remove"
 	
uri MAILTO_WITH_SUBJ		/^mailto:\S+\?subject=/is
describe MAILTO_WITH_SUBJ	Includes a link to send a mail with a subject
 	
uri MAILTO_TO_SPAM_ADDR		/^mailto:[a-z]+\d{2,}\@/is
describe MAILTO_TO_SPAM_ADDR	Includes a link to a likely spammer email address
 	
uri MAILTO_TO_REMOVE		/^mailto:.*?remove/is
describe MAILTO_TO_REMOVE	Includes a 'remove' email address

# one spamhaus uses servers numbered like this:
uri HTTP_NUMBER_WORD		/^https?:\/\/(?:zero|one|two|three|four|five|six|seven|eight|nine|ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen|nineteen|twenty)\./i
describe HTTP_NUMBER_WORD	URL contains spamhaus signature: numbered servers

uri JAVASCRIPT_URI		/^javascript:/i
describe JAVASCRIPT_URI		Javascript protocol in a URI

# allow port 80, that's the HTTP port after all, so not wierd ;)
# Dilbert does this for some reason.
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
# though, which actually doesn't have a weird port in it.
uri WEIRD_PORT			m{https?://[^/\s]+?:(?:[^8][^0]|\d|\d\d\d+)(?:/|\s|$)}
describe WEIRD_PORT		Uses non-standard port number for HTTP

# looks for a username and (optional) password in an url
uri USERPASS			m{https?://[^/\s]+?(?::.+?)?\@}
describe USERPASS		URL contains username and (optional) password

uri WWW_AUTOREMOVE_COM		/autoremove\.com/i   
describe WWW_AUTOREMOVE_COM	Frequent SPAM content
 	
uri E_WEBHOSTCENTRAL_URL	/e-webhostcentral\.com/i
describe E_WEBHOSTCENTRAL_URL	Frequent SPAM content
 	
uri FREEMEGS_URL		/25freemegs\.com/i
describe FREEMEGS_URL		Frequent SPAM content   
 	
uri FREEWEBCO_NET_URL		/freewebco\.net/i
describe FREEWEBCO_NET_URL	Frequent SPAM content
 	
uri FREEWEBHOSTINGCENTRAL	/freewebhostingcentral/i   
describe FREEWEBHOSTINGCENTRAL	Frequent SPAM content  
 	
uri URI_IS_POUND		m{\#$}
describe URI_IS_POUND		Filename is just a '\#'; probably a JS trick
 	
uri WEB4PORNO_URL		/web4porno\.com/i
describe WEB4PORNO_URL		Frequent SPAM content
 	
uri WWW_NETSITESFORFREE_NET		/netsitesforfree\.net/i
describe WWW_NETSITESFORFREE_NET	Frequent SPAM content
 	
uri WWW_REMOVEYOU_COM		/removeyou\.com/i
describe WWW_REMOVEYOU_COM	Frequent SPAM content

uri YELLOWSUN			/yellowsun01\.com/i   
describe YELLOWSUN		Frequent SPAM content
 	
uri BTAMAIL_URL			/btamail\.net\.cn/i
describe BTAMAIL_URL		Frequent SPAM content
 	
uri CHINA_URL			/(?:freehost|yada)china\.com/i
describe CHINA_URL		Frequent SPAM content
 	
uri MAILTO_TO_B2BMAIL		/^mailto:[^\s\@]{1,20}\@b2b-?mail\./is
describe MAILTO_TO_B2BMAIL	Includes a link to a likely spammer email address (b2b-mail)

uri DAILY_PL			/\/logic\/[a-z]{2}\.pl/
describe DAILY_PL		Spam URL pattern, DailyPromotions redirect link

uri DAILY_PXE			/http:\/\/(?:pxe|fx)\./i
describe DAILY_PXE		Spam URL pattern, DailyPromotions server link

uri E_MAILPROMO_URL		/\be-mailpromo\.net/
describe E_MAILPROMO_URL	Includes a link to a likely spammer domain (e-mailpromo.net)

uri BARGAIN_URL			/bargains?\.(?:com|biz)/
describe BARGAIN_URL		Includes a link to a likely spammer domain