# SpamAssassin rules file: drug tests # # This ruleset is intended to detect common "pill spam" however, it is not # appropriate for all environments. It may not be appropriate for a medical or # pharmaceutical environment. If in doubt, adjust the scores of all the rules # to 0.01 and see if they fire off on your daily nonspam. # # Please don't modify this file as your changes will be overwritten with the # next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. See 'perldoc # Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the size of # searches; use /.{0,30}/ instead of /.*/ to avoid huge search times. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version @@VERSION@@ ########################################################################### # header rules # (only use sufficiently long drug name to make name unique) header SUBJECT_DRUG_GAP_C Subject =~ /\bc.{0,2}i.{0,2}a.{0,2}l.{0,2}i.{0,2}s\b/i describe SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' header SUBJECT_DRUG_GAP_L Subject =~ /l.{0,2}e.{0,2}v.{0,2}i.{0,2}t.{0,2}r.{0,2}a/i describe SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra' header SUBJECT_DRUG_GAP_S Subject =~ /\bs.{0,1}o.{0,1}m.{0,1}a\b/i describe SUBJECT_DRUG_GAP_S Subject contains a gappy version of 'soma' header SUBJECT_DRUG_GAP_VA Subject =~ /v.{0,2}a.{0,2}l.{0,2}i.{0,2}u.{0,2}m/i describe SUBJECT_DRUG_GAP_VA Subject contains a gappy version of 'valium' header SUBJECT_DRUG_GAP_X Subject =~ /x.{0,2}a.{0,2}n.{0,2}a.{0,2}x/i describe SUBJECT_DRUG_GAP_X Subject contains a gappy version of 'xanax' ########################################################################### # body rules body DRUG_DOSAGE m{[\d\.]+ *\$? *(?:[\\/]|per) *d.?o.?s.?e}i describe DRUG_DOSAGE Talks about price per dose # jm: keep this case-sensitive, otherwise it FP's body DRUG_ED_CAPS /\b(?:CIALIS|LEVITRA|VIAGRA)/ describe DRUG_ED_CAPS Mentions an E.D. drug body DRUG_ED_SILD /\bsildenafil\b/i describe DRUG_ED_SILD Talks about an E.D. drug using its chemical name body DRUG_ED_GENERIC /\bGeneric Viagra\b/ describe DRUG_ED_GENERIC Mentions Generic Viagra body DRUG_ED_ONLINE /\bviagra .{0,25}(?:express|online|overnight)/i describe DRUG_ED_ONLINE Fast Viagra Delivery body ONLINE_PHARMACY /\bonline pharmacy|\b(?:drugs|medications) online/i describe ONLINE_PHARMACY Online Pharmacy body NO_PRESCRIPTION /no.{1,10}P(?:er|re)scription.{1,10}(?:needed|require|necessary)/i describe NO_PRESCRIPTION No prescription needed # too easy body VIA_GAP_GRA /\bvia.gra\b/i describe VIA_GAP_GRA Attempts to disguise the word 'viagra' ######################################################################## # male sexual dysfunction drugs # # This section is undergoing improvements and I'm trying to track down a # FP case that seems to mostly affect technical emails. # However, all of the test cases so far fail to match when retested. # note: The regex /v.i.a.g.r.a/ was intentionally not used # due to potential false positive cases with PGP signatures # and other base-64ish stuff. # instead other patterns are used catch non alphanumeric gapping patterns # note: \W = "non word character" # Note: many of the drugs named in here are brand-names and are trademarked. # All trademarks are property of the respective owners. #current best char substitutions # i - [i1!|l\xEC-\xEF] # a - [a4\xE0-\xE6@] # e - [e3\xE8-\xEB] # o - [o0\xF2-\xF6] # u - [u\xB5\xF9-\xFC] # v - (?:\\\/|V) # l - [l!|1] #plain Viagra and Cialis (used in obfu detection) body __DRUGS_ERECTILE_V /\bViagra\b/i body __DRUGS_ERECTILE_C /\bCialis\b/i body __DRUGS_ERECTILE_L /\bLevitra\b/i # obfu/plain and mis-spelled Viagra variants body __DRUGS_ERECTILE1 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}[xyz]?[gj][_\W]{0,3}r[_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}x?[_\W]{0,3}(?:\b|\s)/i body __DRUGS_ERECTILE2 /\bV(?:agira|igara|iaggra|iaegra)\b/i # cialis variants (spelling correct now) # note: the rather strange pre-amble is to avoid FPs on french words containing high-ascii chars surrounding # "cialis". body __DRUGS_ERECTILE3 /(?:\A|[\s\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])[_\W]{0,3}C[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}l?[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s[_\W]{0,3}(?:\b|\s)/i body __DRUGS_ERECTILE4 /\bC(?:alis|ilias|ilais)\b/i # generic names #sildenafil citrate body __DRUGS_ERECTILE5 /\b_{0,3}s[_\W]?[i1!|l\xEC-\xEF][_\W]?l[_\W]?d[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l c[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i #Levitra body __DRUGS_ERECTILE6 /\b_{0,3}L[_\W]?[e3\xE8-\xEB][_\W]?(?:\\\/|V)[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?(?:\b|\s)/i #tadalafil body __DRUGS_ERECTILE8 /\b_{0,3}T[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l_{0,3}\b/i # gapped/obfu viagra variants using funky html-style character codes rawbody __DRUGS_ERECTILE10 /\b_{0,3}V[_\W]?(?:i|\ï\;)[_\W]?(?:a|\à|\å)\;?[_\W]?g[_\W]?r[_\W]?(?:a|\à|\å)\b/i #apcalis - a generic of cialis body __DRUGS_ERECTILE11 /(?:\b|\s)_{0,3}[a4\xE0-\xE6@][_\W]{0,3}p[_\W]{0,3}c[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s_{0,3}\b/i meta DRUGS_ERECTILE (__DRUGS_ERECTILE1 || __DRUGS_ERECTILE2 || __DRUGS_ERECTILE3 || __DRUGS_ERECTILE4 || __DRUGS_ERECTILE5 || __DRUGS_ERECTILE6 || __DRUGS_ERECTILE8 || __DRUGS_ERECTILE10 || __DRUGS_ERECTILE11 ) describe DRUGS_ERECTILE Refers to an erectile drug meta DRUGS_ERECTILE_OBFU ( (__DRUGS_ERECTILE1 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE3 && !__DRUGS_ERECTILE_C) ||__DRUGS_ERECTILE2 || (__DRUGS_ERECTILE10 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE6 &&!__DRUGS_ERECTILE_L)) describe DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug #diet body __DRUGS_DIET_PHEN /\bphentermine\b/i #phentermine body __DRUGS_DIET1 /(?:\b|\s)[_\W]{0,3}p[_\W]{0,3}h[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}t[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}m[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}n[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}(?:\b|\s)/i #ionamin body __DRUGS_DIET2 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF][_\W]?o[_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[i1!|l\xEC-\xEF][_\W]?n_{0,3}\b/i #bontril body __DRUGS_DIET3 /\bbontril\b/i #phendimetrazine body __DRUGS_DIET4 /\bphendimetrazine\b/i #diethylpropion, generic of Tenuate, uncommon in spam body __DRUGS_DIET5 /\bdiethylpropion\b/i #Meridia body __DRUGS_DIET6 /(?:\b|\s)[_\W]{0,3}M[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i #tenuate body __DRUGS_DIET7 /\b_{0,3}t[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?u[_\W]?a[_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i #didrex body __DRUGS_DIET8 /\b_{0,3}d[_\W]?[i1!|l\xEC-\xEF][_\W]?d[_\W]?r[_\W][e3\xE8-\xEB[_\W]?xx?_{0,3}\b/i #adipex body __DRUGS_DIET9 /\b_{0,3}a[_\W]?d[_\W]?[i1!|l\xEC-\xEF][_\W]?p[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i #xenical body __DRUGS_DIET10 /\b_{0,3}x?x[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[a4\xE0-\xE6@][_\W]?l_{0,3}\b/i meta DRUGS_DIET (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 ) describe DRUGS_DIET Refers to a diet drug meta DRUGS_DIET_OBFU (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN) describe DRUGS_DIET_OBFU Obfuscated reference to a diet drug # pain relief drugs body __DRUGS_PAIN_VICO /vicodin/i body __DRUGS_PAIN_VIOXX /vioxx/i body __DRUGS_PAIN_FIO /fioricet/i body __DRUGS_PAIN1 /\b_{0,3}h[_\W]?y[_\W]?d[_\W]?r[_\W]?[o0\xF2-\xF6][_\W]?c[_\W]?[o0\xF2-\xF6][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?e_{0,3}\b/i body __DRUGS_PAIN2 /\b_{0,3}c[o0\xF2-\xF6]deine_{0,3}\b/i #ultram body __DRUGS_PAIN3 /(?:\b|\s)[_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}l[_\W]{0,3}t[_\W]{0,3}r[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m_{0,3}\b/i #vicodin body __DRUGS_PAIN4 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}c[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}ns?[_\W]{0,3}(?:\b|\s)/i #tramadol body __DRUGS_PAIN5 /\b_{0,3}t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?[l!|1]_{0,3}\b/i # ultracet, uncommon in spam. body __DRUGS_PAIN6 /\b_{0,3}u[_\W]?l[_\W]?t[_\W]?r[_\W]?a[_\W]?c[_\W]?e[_\W]?t_{0,3}\b/i #fioricet body __DRUGS_PAIN7 /\b_{0,3}f[_\W]?[i1!|l\xEC-\xEF][_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[e3\xE8-\xEB][_\W]?[t7]_{0,3}\b/i #celebrex body __DRUGS_PAIN8 /\b_{0,3}c[_\W]?[e3\xE8-\xEB][_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?b[_\W]?r[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i #imitrex body __DRUGS_PAIN9 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF]m[i1!|l\xEC-\xEF]tr[e3\xE8-\xEB]x_{0,3}\b/i #vioxx body __DRUGS_PAIN10 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}x[_\W]{0,3}xx?_{0,3}\b/i #zebutal, uncommon in spam. body __DRUGS_PAIN11 /\bzebutal\b/i #esgic plus, uncommon in spam. body __DRUGS_PAIN12 /\besgic plus\b/i #Darvon - a prescription narcotic body __DRUGS_PAIN13 /\bD[_\W]?[a4\xE0-\xE6@][_\W]?r[_\W]?v[_\W]?[o0\xF2-\xF6][_\W]?n\b/i body __DRUGS_PAIN14 /N[o0\xF2-\xF6]rc[o0\xF2-\xF6]/i meta __DRUGS_PAIN (__DRUGS_PAIN1 || __DRUGS_PAIN2 || __DRUGS_PAIN3 || __DRUGS_PAIN4 ||__DRUGS_PAIN5 ||__DRUGS_PAIN6 ||__DRUGS_PAIN7 ||__DRUGS_PAIN8 || __DRUGS_PAIN9 || __DRUGS_PAIN10|| __DRUGS_PAIN11 || __DRUGS_PAIN12 || __DRUGS_PAIN13 ||__DRUGS_PAIN14) #sleep aids #ativan and lorazepam already under anxiety #Ambien, brand of zolpidem tartrate body __DRUGS_SLEEP1 /(?:\b|\s)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m[_\W]{0,3}b[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}(?:\b|\s)/i #sonata, brand of zaleplon body __DRUGS_SLEEP2 /(?:\b|\s)[_\W]{0,3}S[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}n[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}t[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i #Restoril, brand of temazepam, uncommon in spam body __DRUGS_SLEEP3 /\b_{0,3}R[_\W]?[e3\xE8-\xEB][_\W]?s[_\W]?t[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?i[_\W]?l_{0,3}\b/i #Halcion, brand of triazolam body __DRUGS_SLEEP4 /\b_{0,3}H[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?c[_\W]?i[_\W]?[o0\xF2-\xF6][_\W]?n_{0,3}\b/i meta __DRUGS_SLEEP (__DRUGS_SLEEP1 || __DRUGS_SLEEP2 || __DRUGS_SLEEP3 ||__DRUGS_SLEEP4) #muscle relaxants #soma body __DRUGS_MUSCLE1 /(?:\b|\s)[_\W]{0,3}s[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}m[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i #cyclobenzaprine body __DRUGS_MUSCLE2 /\b_{0,3}cycl[o0\xF2-\xF6]b[e3\xE8-\xEB]nz[a4\xE0-\xE6@]pr[i1!|l\xEC-\xEF]n[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i #flexeril body __DRUGS_MUSCLE3 /\b_{0,3}f[_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?x[_\W]?[e3\xE8-\xEB][_\W]?r[_\W]?[i1!|l\xEC-\xEF]_{0,3}[_\W]?l_{0,3}\b/i #zanaflex body __DRUGS_MUSCLE4 /\b_{0,3}z[_\W]?a[_\W]?n[_\W]?a[_\W]?f[_\W]?l[_\W]?e[_\W]?x_{0,3}\b/i #skelaxin body __DRUGS_MUSCLE5 /\bskelaxin\b/i meta DRUGS_MUSCLE (__DRUGS_MUSCLE1 || __DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 ) describe DRUGS_MUSCLE Refers to a muscle relaxant #anti-anxiety #these two rules are used to differentiate between obfu and non-obfu spellings body __DRUGS_ANXIETY_XAN /xan[ae]x/i body __DRUGS_ANXIETY_VAL /valium/i #xanax - note: second a sometimes done as e. body __DRUGS_ANXIETY1 /(?:\b|\s)[_\W]{0,3}x?x[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}n[_\W]{0,3}[ea4\xE1\xE2\xE3@][_\W]{0,3}xx?_{0,3}\b/i #alprazolam body __DRUGS_ANXIETY2 /\bAlprazolam\b/i #valium body __DRUGS_ANXIETY3 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l|][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}m\b/i #diazepam, generic of valium body __DRUGS_ANXIETY4 /\b_{0,3}D[_\W]?[i1!|l\xEC-\xEF][_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[ea3\xE9\xEA\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i #ativan body __DRUGS_ANXIETY5 /(?:\b|\s)[a4\xE0-\xE6@][_\W]?t[_\W]?[i1!|l\xEC-\xEF][_\W]?v[_\W]?[a4\xE0-\xE6@][_\W]?n_{0,3}\b/i #lorazepam - generic of ativan, uncommon in spam body __DRUGS_ANXIETY6 /\b_{0,3}l[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[e3\xE8-\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i #clonazepam, generic. body __DRUGS_ANXIETY7 /\b_{0,3}c[_\W]?l[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?e[_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m\b/i #klonopin, brand of clonazepam, uncommon in spam body __DRUGS_ANXIETY8 /\bklonopin\b/i #rivotril, brand of clonazepam, uncommon in spam body __DRUGS_ANXIETY9 /\brivotril\b/i meta DRUGS_ANXIETY (__DRUGS_ANXIETY1 || __DRUGS_ANXIETY2 || __DRUGS_ANXIETY3 || __DRUGS_ANXIETY4 ||__DRUGS_ANXIETY5 ||__DRUGS_ANXIETY6 ||__DRUGS_ANXIETY7 ||__DRUGS_ANXIETY8 || __DRUGS_ANXIETY9 ) describe DRUGS_ANXIETY Refers to an anxiety control drug meta DRUGS_ANXIETY_OBFU ( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL)) describe DRUGS_ANXIETY_OBFU Obfuscated reference to an anxiety control drug body DRUGS_SMEAR1 /(?:Viagra|Valium|Xanax|Soma|Cialis){2}/i describe DRUGS_SMEAR1 Two or more drugs crammed together into one word #search for "weird" combinations that are unlikely to #be prescribed together for a single event, thus unlikely to be #mentioned in the same email, except an online pharmacy ad. meta DRUGS_ANXIETY_EREC (DRUGS_ERECTILE && DRUGS_ANXIETY) describe DRUGS_ANXIETY_EREC Refers to both an erectile and an anxiety drug meta DRUGS_SLEEP_EREC (DRUGS_ERECTILE && __DRUGS_SLEEP) describe DRUGS_SLEEP_EREC Refers to both an erectile and a sleep aid drug # note: some 3 item combos are "normal" ie: a patient might legitimately # be prescribed depression, anxiety and sleep aid drugs all at once. # however, I know of no "normal" 4-item combinations. meta DRUGS_MANYKINDS (DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3) describe DRUGS_MANYKINDS Refers to at least four kinds of drugs ########################################################################