# SpamAssassin rules file: URI tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of either the Artistic License or the GNU General
# Public License as published by the Free Software Foundation; either
# version 1 of the License, or (at your option) any later version.
#
# See the file "License" in the top level of the SpamAssassin source
# distribution for more details.
#
###########################################################################

require_version @@VERSION@@

uri NUMERIC_HTTP_ADDR		/^https?\:\/\/\d{7,}/is
describe NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL

uri NORMAL_HTTP_TO_IP		/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+/i
describe NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL
 	
uri HTTP_WITH_EMAIL_IN_URL	/^https?\:\/\/\S+=[-_\+a-z0-9\.]+\@[-_\+a-z0-9\.]+\.[-_\+a-z0-9]{2,3}(?:\&|\s)/
describe HTTP_WITH_EMAIL_IN_URL	'remove' URL contains an email address

# Theo sez:
# Have gotten FPs off this, and whitespace can't be in the host, so...
# %    Visit my homepage: http://i.like.foo.com %
uri HTTP_ESCAPED_HOST		/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST	Uses %-escapes inside a URL's hostname

# note: do not match \r or \n
uri HTTP_CTRL_CHARS_HOST	/^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]/
describe HTTP_CTRL_CHARS_HOST	Uses control sequences inside a URL hostname

# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe
# characters have been well-tested, but are sometimes unnecessarily escaped
# in nonspam; requiring "http" or "https" also reduces false positives).
uri HTTP_EXCESSIVE_ESCAPES	/^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i
describe HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL

# thx to vince.delvecchio@analog.com for the legwork on the negative
# lookbehinds here; saved a lot of work for us (bug 1035), also see bug 1835
uri PORN_4			/^https?:\/\/[\w\.-]*(?:xxx|(?<!es|ba)(?<!dle|sus)sex|anal(?!og|y[sz])|slut|pussy|(?<!cir)(?<!\bdo)cum(?!ul|be?r|b?en)|nympho|suck|porn|hard-?core|taboo|whore|voyeur|lesbian|gurlpages|naughty|lolita|(?<!thir|four|eigh|nine)(?<!fif|six)(?<!seven)teen|schoolgirl|kooloffer|erotic|lust(?!(?<=illust)(?:rat|rious)|(?<=clust)er)|pant(?:y|ies))[\w-]*\./
describe PORN_4			URL uses words/phrases which indicate porn

# some frequently-advertised URLs
uri WWW_CLIK4YOU_COM		/clik4you\.com/i
describe WWW_CLIK4YOU_COM	Frequent Spam content

# bug 1801
uri IP_LINK_PLUS	/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id\=)/i
describe IP_LINK_PLUS	Dotted-decimal IP address followed by CGI

uri UNSUB_SCRIPT		/^https?:\/\/.*?cgi.*?(?:unsubscribe|remove)/i
describe UNSUB_SCRIPT		URL of CGI script has unsubscribe or remove

uri UNSUB_PAGE			/^https?:\/\/.*?(?!cgi).*?unsubscribe/i
describe UNSUB_PAGE		URL of page called "unsubscribe"
 	
uri REMOVE_PAGE			/^https?:\/\/[^\/]+\/.*?remove/
describe REMOVE_PAGE		URL of page called "remove"
 	
uri MAILTO_WITH_SUBJ		/^mailto:\S+\?subject=/is
describe MAILTO_WITH_SUBJ	Includes a link to send a mail with a subject
 	
uri MAILTO_TO_SPAM_ADDR		/^mailto:[a-z]+\d{2,}\@/is
describe MAILTO_TO_SPAM_ADDR	Includes a link to a likely spammer email
 	
uri MAILTO_TO_REMOVE		/^mailto:.*?remove/is
describe MAILTO_TO_REMOVE	Includes a 'remove' email address

uri JAVASCRIPT_URI		/^javascript:/i
describe JAVASCRIPT_URI		Javascript protocol in a URI

# allow ports 80 and 443 which are http and https, respectively
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
# though, which actually doesn't have a weird port in it.
uri WEIRD_PORT			m{https?://[^/\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)}
describe WEIRD_PORT		Uses non-standard port number for HTTP

# looks for a (maybe empty) username and (optional) password in an url
uri USERPASS			m{https?://[^/\s]*?(?::[^/\s]+?)?\@}
describe USERPASS               URL contains username and (optional) password

uri URI_IS_POUND		m{\#$}
describe URI_IS_POUND		Filename is just a '\#'; probably a JS trick

uri BTAMAIL_URL			/btamail\.net\.cn/i
describe BTAMAIL_URL		Frequent Spam content
 	
uri CHINA_URL			/(?:freehost|yada)china\.com/i
describe CHINA_URL		Frequent Spam content

uri MAILTO_TO_B2BMAIL		/^mailto:[^\s\@]{1,20}\@b2b-?mail\./is
describe MAILTO_TO_B2BMAIL	Includes a link to a likely spammer email

uri DAILY_PL			/\/logic\/[a-z]{2}\.pl/
describe DAILY_PL		Spam URL pattern, DailyPromotions redirect

uri DAILY_PXE			/http:\/\/(?:pxe|fx)\./i
describe DAILY_PXE		Spam URL pattern, DailyPromotions server link

uri E_MAILPROMO_URL		/\be-mailpromo\.net/
describe E_MAILPROMO_URL	Includes a link to a likely spammer domain

uri BARGAIN_URL			/bargain([sz]|-\S+)?\.(?:com|biz)/
describe BARGAIN_URL		Includes a link to a likely spammer domain

uri URI_PXLG			m{http://(?:www\.)?pxlg\.com}i
describe URI_PXLG		Frequent Spam Content

# this is actually effective.  What are they doing over there?
uri BZ_TLD			/^(?:https?:\/\/|mailto:)[^\/]+\.bz(?:\/|$)/i
describe BZ_TLD			Contains a URL in the BZ top-level domain    

uri BIZ_TLD			/^(?:https?:\/\/|mailto:)[^\/]+\.biz(?:\/|$)/i
describe BIZ_TLD		Contains a URL in the BIZ top-level domain    

# Matt Cline
# Pretty good for most folks, except for jm: I have a really stupid
# e-commerce bunch obfuscating their URLs with this for some reason. screw 'em
uri      HTTP_ENTITIES_HOST	m{https?://[^\s\">/]*\&\#[\da-f]+}i
describe HTTP_ENTITIES_HOST	URI obscured with character entities

uri 	URI_DOLLARMACHINE 	/dollar.?machine/i
describe URI_DOLLARMACHINE	Message has URI for dollarmachine

uri 	URI_HITBOX 		/hitbox\.com/i
describe URI_HITBOX		Message has URI for hitbox.com

uri	YAHOO_REDIR		/^https?\:\/\/rd\.yahoo\.com\/(?:[0-9]{4,}|partner\b|dir\b)/i
describe YAHOO_REDIR		Has Yahoo Redirect URI

uri MORTGAGE_LINKS		/(?:^https?\:\/\/|^mailto\:).{0,20}(?:low|about)mortgage/i
describe MORTGAGE_LINKS		Message has link to mortgage URI

uri URI_OFFERS			m/offer([sz]|-\S+)?\.(?:com|bi?z)/i
describe URI_OFFERS		Message has link to company offers

uri URI_BANNEDCD		m@^(?:https?://|mailto:)[^\/]*bannedcd@i
describe URI_BANNEDCD		Message has URI for bannedcd

uri URI_FREEHT			m@^(?:https?://|mailto:)[^\/]*freeht@i
describe URI_FREEHT		Message has URI for freeht

uri URI_4YOU			m@^(?:https?://|mailto:)[^\/]*4you@i
describe URI_4YOU		Message has URI 4you