# SpamAssassin rules file: phrase tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### # bug 1022: MGM_POSTCARD #2 original body REMOVE_POSTAL /(?:Send(?:ing)? a (?:postal mail|postcard) to (?:Unsubscribe|Customer ?Service|remove)|unsubscribe by (?:postal mail|postcard))/i describe REMOVE_POSTAL Send real mail to be unsubscribed # new way to phrase unsubscribe link body REMOVE_BEFORE_LINK m{(?:no thanks|not interested|unsubscribe here).{0,5}http://}i describe REMOVE_BEFORE_LINK Removal phrase right before a link ########################################################################### # CLICK rules # note HTML_LINK_CLICK* rules in HTML parser section body CLICK_BELOW_CAPS /CLICK\s.{0,30}(?:HERE|BELOW)/s describe CLICK_BELOW_CAPS Asks you to click below (in capital letters) body CLICK_TO_REMOVE_1 /click here to be (?:permanently )?(?:removed|deleted)/i describe CLICK_TO_REMOVE_1 Click to be removed body SENT_IN_COMPLIANCE /(?:e.?mail|message) .{0,10}sen[dt] (?:to you )?in (?:\w{1,10} )?compliance (?:of|with)/i describe SENT_IN_COMPLIANCE Claims compliance with spam regulations body BILL_1618 /\bs\W{0,4}1618\b/i describe BILL_1618 Possible mention of bill 1618 (anti-spam bill) body FULL_REFUND /full refund|refunds? your money in full/i describe FULL_REFUND Offers a full refund body NO_COST /\bno (?:cost|charge)\b/i describe NO_COST No such thing as a free lunch (3) body GUARANTEED_100_PERCENT /100% GUARANTEED/i describe GUARANTEED_100_PERCENT One hundred percent guaranteed body DEAR_FRIEND /^\s*Dear Friend\b/i describe DEAR_FRIEND Dear Friend? That's not very dear! body DEAR_SOMETHING /\bDear (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car shopper|web)\b/i describe DEAR_SOMETHING Contains 'Dear (something)' body BILLION_DOLLARS /[BM]ILLION DOLLAR/ describe BILLION_DOLLARS Talks about lots of money body OPTING_OUT_CAPS /\b(?-i:O)pt.?(?-i:O)ut\b/i describe OPTING_OUT_CAPS Talks about opting out (capitalized version) body EXCUSE_4 /To Be Removed,? Please/i describe EXCUSE_4 Claims you can be removed from the list # strange pattern because otherwise it matches the std. majordomo line # pls note the comment above. DO NOT just put "to" in the first group! body EXCUSE_6 /\b(?:wish to|click to) remove yourself/i describe EXCUSE_6 Claims you can be removed from the list body EXCUSE_10 /if you (?:(?:want|wish|care|prefer) not to |do ?n[o']t (?:want|wish|care) to )(?:be contacted again|receive (?:any ?)?(?:more|future|further)\b.{1,10}\b(?:e?-?mail|message|offer|solicitation)s?|be included)/i describe EXCUSE_10 "if you do not wish to receive any more" body EXCUSE_12 /this (?:e?-?mail|message) (?:(?:has )?reached|was sent to) you in error/i describe EXCUSE_12 Nobody's perfect body EXCUSE_23 /you have provided permission/i describe EXCUSE_23 Claims you have provided permission body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i describe EXCUSE_24 Claims you wanted this ad body EXCUSE_REMOVE /to be removed from.{0,20}(?:mailings|offers)/i describe EXCUSE_REMOVE Talks about how to be removed from mailings body STRONG_BUY /strong buy/i describe STRONG_BUY Tells you about a strong buy body WE_HONOR_ALL /\b(?:honou?r|respect)(?: all)? remov(?:e|al) requests?\b/i describe WE_HONOR_ALL Claims to honor removal requests body STOCK_ALERT /\bstock alert/i describe STOCK_ALERT Offers a alert about a stock body MICRO_CAP_WARNING /Investing in micro-cap securities is highly speculative/i describe MICRO_CAP_WARNING SEC-mandated penny-stock warning body NOT_ADVISOR /not a registered investment advisor/i describe NOT_ADVISOR Not registered investment advisor body SOME_BREAKTHROUGH /\b(?:science|medical|major|scientific|fundamental|technology|revolutionary)\s+breakthrough/i describe SOME_BREAKTHROUGH Describes some sort of breakthrough body PREST_NON_ACCREDITED /prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities/i describe PREST_NON_ACCREDITED 'Prestigious Non-Accredited Universities' body BODY_ENHANCEMENT /\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer))/i describe BODY_ENHANCEMENT Information on growing body parts body BODY_ENHANCEMENT2 /\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer)).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b)/i describe BODY_ENHANCEMENT2 Information on getting larger body parts body IMPOTENCE /\b(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/i describe IMPOTENCE Impotence cure body MORTGAGE_BEST /\b(?:low(?:est|er)?|free|second|rate|best|refinanc(?:e|ing)|online|instant) mortgage/i describe MORTGAGE_BEST Information on mortgages body MORTGAGE_PITCH /mortgage (?:rates?|quotes?|approv(?:al|ed)|payment|interest|loans?|app(?:\b|lication))/i describe MORTGAGE_PITCH Looks like mortgage pitch body MORTGAGE_RATES /Mortgage rates/i describe MORTGAGE_RATES Information on mortgage rates # this works best as rawbody # do not add "subscribe", "unsubscribe", or "help" rawbody MAILTO_SUBJ_REMOVE /mailto:.{0,64}\@.{0,64}\?subject=(?:\"|3D)*(?:remove?|delete|please.?(?:delete|remove|unsubscribe)|abuse|off\b|stop|take.?me.?off)/i describe MAILTO_SUBJ_REMOVE mailto URI includes removal text body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i describe NA_DOLLARS Talks about a million North American dollars body US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i describe US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN) body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i describe MILLION_USD Talks about millions of dollars rawbody FRONTPAGE /FrontPage.Editor/ describe FRONTPAGE Frontpage used to create the message body RESISTANCE_IS_FUTILE /Replying to this email will not unsubscribe you./i describe RESISTANCE_IS_FUTILE Resistance to this spam is futile body URG_BIZ /urgent.{0,16}(?:assistance|business|buy|confidential|notice|proposal|reply|request|response)/i describe URG_BIZ Contains urgent matter body EARN_PER_WEEK /\b(?:earn|make).{1,20}\d\d\d+.{1,30}(?:per week|per month|weekly|monthly)/i describe EARN_PER_WEEK Contains 'earn $something per week' body ALL_NATURAL /\b(?:100%|completely|totally|all) natural/i describe ALL_NATURAL Spam is 100% natural?! body MONEY_BACK /money back guarantee/i describe MONEY_BACK Money back guarantee body NO_OBLIGATION /no obligation/i describe NO_OBLIGATION There is no obligation body RISK_FREE /\b(?:risk[ -]free|no[ -]risk)/i describe RISK_FREE Risk free. Suuurreeee.... # "seen on TV", "seen on ABC/NBC/etc", "seen on XYZ TV", or "seen on:" body AS_SEEN_ON /seen on\s*(?:T\.?V|A\.?B\.?C|N\.?B\.?C|C\.?B\.?S|C\.?N\.?N|Oprah|U\.?S\.?A\.? Today|48 Hours|New York Times|\w+\s+T\.?V|:)/i describe AS_SEEN_ON As seen on national TV! ## Contrib: Marc Perkel body OFFSHORE_SCAM /\boffshore\b.{0,20}(?:credit card|companies|account|financ|websites?)/i describe OFFSHORE_SCAM Off Shore Scams body WHY_PAY_MORE /\bwhy pay more\b/i describe WHY_PAY_MORE Why Pay More? # similar to OFFER, but fewer FPs body RECEIVE_OFFER /receive special offer/i describe RECEIVE_OFFER Receive a special offer body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i describe FREE_QUOTE_INSTANT Free express or no-obligation quote body BAD_CREDIT /\b(?:bad|poor|no\b|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)\b/i describe BAD_CREDIT Eliminate Bad Credit body CONSOLIDATE_DEBT /(?:consolidate .{0,9} (?:debt|credit|bills)|debt[ -]?(?:consolidation|elimination))/i describe CONSOLIDATE_DEBT Consolidate debt, credit, or bills body REFINANCE_YOUR_HOME /\brefinance your(?: current)? (?:home|house)\b/i describe REFINANCE_YOUR_HOME Home refinancing body REFINANCE_NOW /time to refinance|refinanc\w{1,3}\b.{0,16}\bnow\b/i describe REFINANCE_NOW Home refinancing body NO_MEDICAL /\bno medical exam/i describe NO_MEDICAL No Medical Exams body NO_FORMS /\bno .{0,9}forms\b/i describe NO_FORMS No Claim Forms body WHY_WAIT /\b(?:why wait|what are you waiting for)\b/i describe WHY_WAIT What are you waiting for body YOU_CAN_SEARCH /you can search for anyone/i describe YOU_CAN_SEARCH You can search for anyone body GUARANTEED_STUFF /\bguarantee.{0,15}(?:income|money|monthly)\b/i describe GUARANTEED_STUFF Guaranteed Stuff body AMAZING_STUFF /\bamazing (?:product|rates)/i describe AMAZING_STUFF Amazing Stuff # seems like we vastly reduce FPs on this one with a small change or two body DIET_1 /\b(?:(?:without|no) (?:exercis(?:e(?! price)|ing)|dieting)|weight.?loss|(?:extra|lose|lost|losing).{0,10}(?:pounds|weight|inches|lbs)|burn.{1,10}fat)\b/i describe DIET_1 Lose Weight Spam body DIET_2 /\blo+se.{1,10}\d+.{1,3}(?:lb|pound|kg|kilo)/i describe DIET_2 Describes weight loss body DIET_3 /(?:Body Fat Loss|Loss of body fat|lose.{1,10}body fat)/i describe DIET_3 Describes body fat loss body REVERSE_AGING /\breverses? aging\b/i describe REVERSE_AGING Reverses Aging body HAIR_LOSS /\b(?=[gnrt])(?:thinn?ing|restore|grow|new) hair|\bhair loss/i describe HAIR_LOSS Cures Baldness body WRINKLES /\bwrinkle reduction\b/i describe WRINKLES Removes Wrinkles body WHILE_YOU_SLEEP /\bwhile you sleep\b/i describe WHILE_YOU_SLEEP While you Sleep body HIDDEN_CHARGES /\bhidden charges\b/i describe HIDDEN_CHARGES Talks about Hidden Charges body FIN_FREE /\bfinancial(?:ly)? free/i describe FIN_FREE Freedom of a financial nature body FORWARD_LOOKING /\bcontains forward-looking statements\b/i describe FORWARD_LOOKING Stock Disclaimer Statement body SATIS_GUAR /\bsatisfaction .{0,9}g(?:ua|au)ranteed\b/i describe SATIS_GUAR Mail guarantees satisfaction # Avoid an FP noted by NISHIJIMA Takanori: 'Japanese string sequence: # "Su" "Ku" "Na" "I" "Ko" "Su" "To" "De" "Yo" "Ri" ... # (This string means, "More ...(ex. "productive" or "effective") # with less cost", and is a popular phrase but have no relations # with human growth hormone, of course. :-) # Encoded byte sequence: "$9" "$/" "$J" "$$" "%3" "%9" "%H" "$G" "$h" "$j"' # note FP: ^^^^^^^^^^^^ body __HG_HORMONE /\b(?:human growth hormone|(?-i:HGH)|H.G.H)\b/i meta HG_HORMONE (!__ISO_2022_JP_DELIM && __HG_HORMONE) describe HG_HORMONE Talks about hormones for human growth body EXTRA_CASH /\bextra cash\b/i describe EXTRA_CASH Offers Extra Cash body GET_PAID /\bget (?-i:P)aid\b/i describe GET_PAID Get Paid body ONE_TIME /\bone\W+time (?:charge|investment|offer|promotion)/i describe ONE_TIME One Time Rip Off body COMPETE /\bcompete for your business\b/i describe COMPETE Compete for your business body MEET_SINGLES /\bmeet .{0,12}singles|thousands of personal/i describe MEET_SINGLES Meet Singles body JOIN_MILLIONS /\bjoin (?:millions|thousands)\b/i describe JOIN_MILLIONS Join Millions of Americans body BE_BOSS /\byour own boss\b/i describe BE_BOSS Be your own boss body ML_MARKETING /\b(?:MLM|multi.level.marketing)\b/i describe ML_MARKETING Multi Level Marketing mentioned body CONFIDENTIAL_ORDER /confidential.{0,9} order/i describe CONFIDENTIAL_ORDER Confidentiality on all orders body SAVE_THOUSANDS /\bsave (?:thousands|millions)\b/i describe SAVE_THOUSANDS Save big money body MARKETING_PARTNERS /\b(?:marketing|network) partner|\bpartner (?:web)?site/i describe MARKETING_PARTNERS Claims you registered with a partner body FREE_PREVIEW /\bfree preview\b/i describe FREE_PREVIEW Free Preview body FREE_ACCESS /(?-i:F)ree access/i describe FREE_ACCESS Contains 'free access' with capitals body FREE_SAMPLE /(?-i:F)ree sample/i describe FREE_SAMPLE Contains 'free sample' with capitals body LOW_PRICE /\blow.{0,4} (?-i:P)rice/i describe LOW_PRICE Lowest Price body UNCLAIMED_MONEY /\bunclaimed (?:funds|money|prizes?|rewards?)\b/i describe UNCLAIMED_MONEY People just leave money laying around body OBSCURED_EMAIL /\w+\^\S+\(\w{2,4}\b/ describe OBSCURED_EMAIL Message seems to contain rot13ed address body BANG_EXERCISE /\bexercis(?:e|er|es)!/i describe BANG_EXERCISE Talks about exercise with an exclamation! body BANG_MORE /\b(?-i:M)ore!/i describe BANG_MORE Talks about more with an exclamation! body BANG_OPRAH /\boprah!/i describe BANG_OPRAH Talks about Oprah with an exclamation! body ACT_NOW_CAPS /A(?i:ct) N(?i:ow)/ describe ACT_NOW_CAPS Talks about 'acting now' with capitals body MORE_SEX /increased?.{0,9}(?:sex|stamina)/i describe MORE_SEX Talks about a bigger drive for sex body BANG_GUAR /\bguaranteed?\!/i describe BANG_GUAR Something is emphatically guaranteed body SEE_FOR_YOURSELF /See (?:for|it|it for) yourself\b/i describe SEE_FOR_YOURSELF See for yourself body __RUDE_HTML_1 /Get a capable html e-mailer/i body __RUDE_HTML_2 /not support the display of HTML. Please view this message in a different/i body __RUDE_HTML_3 /This message contains an HTML formatted message but your email client does/i body __RUDE_HTML_4 /Your mailer do not support HTML messages. Switch to a better mailer/i meta RUDE_HTML __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4 describe RUDE_HTML Spammer message says you need an HTML mailer body INVESTMENT_ADVICE /\binvestment advice/i describe INVESTMENT_ADVICE Message mentions investment advice body INVESTMENT_EXPERT /\binvestment expert/i describe INVESTMENT_EXPERT Message mentions investment expert body QUALIFY_FOR_THIS /qualify for \w{1,5} (?:special|new|promotion)/i describe QUALIFY_FOR_THIS Qualify for this special... body MALE_ENHANCE /male enhancement/i describe MALE_ENHANCE Message talks about enhancing men body PRICES_ARE_AFFORDABLE /\baffordable .{0,10}prices\b/i describe PRICES_ARE_AFFORDABLE Message says that prices aren't too expensive body REPLICA_WATCH /\breplica.{1,20}rolex/i describe REPLICA_WATCH Message talks about a replica watch body EM_ROLEX /[^\s\w.]rolex/i describe EM_ROLEX Message puts emphasis on the watch manufacturer