# URI tests uri NUMERIC_HTTP_ADDR /^https?\:\/\/\d{7,}/is describe NUMERIC_HTTP_ADDR Uses a numeric IP address in URL uri NORMAL_HTTP_TO_IP /^https?\:\/\/\d+\.\d+\.\d+\.\d+/is describe NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL uri LONG_NUMERIC_HTTP_ADDR /^https?\:\/\/000\d+/is describe LONG_NUMERIC_HTTP_ADDR Uses a long numeric IP address in URL uri HTTP_USERNAME_USED /^https?\:\/\/[^\s\/]+\@/is describe HTTP_USERNAME_USED Uses a username in a URL uri HTTP_WITH_EMAIL_IN_URL /^https?\:\/\/\S+=[-_\+a-z0-9\.]+\@[-_\+a-z0-9\.]+\.[-_\+a-z0-9]{2,3}(?:\&|\s)/ describe HTTP_WITH_EMAIL_IN_URL 'remove' URL contains an email address uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/]*%/ describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname # note: do not match \r or \n uri HTTP_CTRL_CHARS_HOST /^https?\:\/\/[^\/]*[\x00-\x08\x0b\x0c\x0e-\x1f]/ describe HTTP_CTRL_CHARS_HOST Uses control sequences inside a URL's hostname uri PORN_4 /^https?:\/\/[\w\.-]*(?:xxx|sex|anal|slut|pussy|cum|nympho|suck|porn|hard-?core|taboo|whore|voyeur|lesbian|gurlpages|naughty|lolita|teen|schoolgirl|kooloffer|erotic|lust|panty|panties)[\w-]*\./ describe PORN_4 Uses words and phrases which indicate porn (4) # some frequently-advertised URLs uri E_WEBHOSTCENTRAL_URL /e-webhostcentral\.com/i describe E_WEBHOSTCENTRAL_URL Frequent SPAM content uri FREEWEBHOSTINGCENTRAL /freewebhostingcentral/i describe FREEWEBHOSTINGCENTRAL Frequent SPAM content uri FREEWEBCO_NET_URL /freewebco\.net/i describe FREEWEBCO_NET_URL Frequent SPAM content uri FREEMEGS_URL /25freemegs\.com/i describe FREEMEGS_URL Frequent SPAM content uri WEB4PORNO_URL /web4porno\.com/i describe WEB4PORNO_URL Frequent SPAM content uri CLICKSFORMONEY_NET /clicksformoney\.net/i describe CLICKSFORMONEY_NET Frequent SPAM content uri YELLOWSUN /yellowsun01\.com/i describe YELLOWSUN Frequent SPAM content uri WWW_REMOVEYOU_COM /removeyou\.com/i describe WWW_REMOVEYOU_COM Frequent SPAM content uri WWW_AUTOREMOVE_COM /autoremove\.com/i describe WWW_AUTOREMOVE_COM Frequent SPAM content uri WWW_CLIK4YOU_COM /clik4you\.com/i describe WWW_CLIK4YOU_COM Frequent SPAM content uri WWW_DIRECTFORCEMARKETING_COM /directforcemarketing\.com/i describe WWW_DIRECTFORCEMARKETING_COM Frequent SPAM content uri WWW_TRAFFICWOW_NET /trafficwow\.net/i describe WWW_TRAFFICWOW_NET Frequent SPAM content uri WWW_NETSITESFORFREE_NET /netsitesforfree\.net/i describe WWW_NETSITESFORFREE_NET Frequent SPAM content uri STAINLESS_STEEL /www.BuyStainlessOnline.com/i describe STAINLESS_STEEL Stainless Steel Network Spam uri UNSUB_SCRIPT /^https?:\/\/.*?cgi.*?(unsubscribe|remove)/i describe UNSUB_SCRIPT URL of CGI script called "unsubscribe" or "remove" uri UNSUB_PAGE /^https?:\/\/.*?(?!cgi).*?unsubscribe/i describe UNSUB_PAGE URL of page called "unsubscribe" uri REMOVE_PAGE /^https?:\/\/[^\/]+\/.*?remove/ describe REMOVE_PAGE URL of page called "remove" uri MAILTO_WITH_SUBJ_REMOVE /^mailto:\S+\?subject=[3D=\s"']*remove/is describe MAILTO_WITH_SUBJ_REMOVE Includes a URL link to send an email with the subject 'remove' uri MAILTO_WITH_SUBJ /^mailto:\S+\?subject=/is describe MAILTO_WITH_SUBJ Includes a link to send a mail with a subject uri MAILTO_TO_SPAM_ADDR /^mailto:[a-z]+\d{2,}\@/is describe MAILTO_TO_SPAM_ADDR Includes a link to a likely spammer email address uri MAILTO_TO_REMOVE /^mailto:.*?remove/is describe MAILTO_TO_REMOVE Includes a 'remove' email address # one spamhaus uses servers numbered like this: uri HTTP_NUMBER_WORD /^https?:\/\/(?:zero|one|two|three|four|five|six|seven|eight|nine|ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen|nineteen|twenty)\./i describe HTTP_NUMBER_WORD URL contains spamhaus signature: numbered servers uri JAVASCRIPT_URI /^javascript:/i describe JAVASCRIPT_URI Javascript protocol in a URI uri URI_IS_POUND m{\#$} describe URI_IS_POUND Filename is just a '\#'; probably a JS trick uri WEIRD_PORT m{https?:\/\/[^/:\s]+:\d+} describe WEIRD_PORT Uses non-standard port number for HTTP uri SPAM_REDIRECTOR /https?\:.*(?:rd\.yahoo\.com|wwp\.icq\.com)/is describe SPAM_REDIRECTOR Uses open redirection service