# SpamAssassin rules file: HTML tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# See the file "License" in the top level of the SpamAssassin distribution
# for usage terms.
#
###########################################################################
require_version @@VERSION@@
# HTML parser tests
#
# please sort these by eval type then name
# HTML control test, HTML spam rules should all have better S/O than this
body HTML_MESSAGE eval:html_message()
describe HTML_MESSAGE HTML included in message
# the HTML percentage range
# should really be converted into a numeric function test
body HTML_00_10 eval:html_range('ratio','0.00','0.10')
body HTML_10_20 eval:html_range('ratio','0.10','0.20')
body HTML_20_30 eval:html_range('ratio','0.20','0.30')
body HTML_30_40 eval:html_range('ratio','0.30','0.40')
body HTML_40_50 eval:html_range('ratio','0.40','0.50')
body HTML_50_60 eval:html_range('ratio','0.50','0.60')
body HTML_60_70 eval:html_range('ratio','0.60','0.70')
body HTML_70_80 eval:html_range('ratio','0.70','0.80')
body HTML_80_90 eval:html_range('ratio','0.80','0.90')
body HTML_90_100 eval:html_range('ratio','0.90','1.00')
describe HTML_00_10 Message is 0% to 10% HTML
describe HTML_10_20 Message is 10% to 20% HTML
describe HTML_20_30 Message is 20% to 30% HTML
describe HTML_30_40 Message is 30% to 40% HTML
describe HTML_40_50 Message is 40% to 50% HTML
describe HTML_50_60 Message is 50% to 60% HTML
describe HTML_60_70 Message is 60% to 70% HTML
describe HTML_70_80 Message is 70% to 80% HTML
describe HTML_80_90 Message is 80% to 90% HTML
describe HTML_90_100 Message is 90% to 100% HTML
# HTML shouting range
# should really be converted into a numeric function test
body HTML_SHOUTING3 eval:html_range('max_shouting','2','3')
body HTML_SHOUTING4 eval:html_range('max_shouting','3','4')
body HTML_SHOUTING5 eval:html_range('max_shouting','4','5')
body HTML_SHOUTING6 eval:html_range('max_shouting','5','6')
body HTML_SHOUTING7 eval:html_range('max_shouting','6','7')
body HTML_SHOUTING8 eval:html_range('max_shouting','7','8')
body HTML_SHOUTING9 eval:html_range('max_shouting','8')
describe HTML_SHOUTING3 HTML has very strong "shouting" markup
describe HTML_SHOUTING4 HTML has very strong "shouting" markup
describe HTML_SHOUTING5 HTML has very strong "shouting" markup
describe HTML_SHOUTING6 HTML has very strong "shouting" markup
describe HTML_SHOUTING7 HTML has very strong "shouting" markup
describe HTML_SHOUTING8 HTML has very strong "shouting" markup
describe HTML_SHOUTING9 HTML has very strong "shouting" markup
body HTML_TABLE_THICK_BORDER eval:html_test('thick_border')
describe HTML_TABLE_THICK_BORDER HTML table has thick border
body __HTML_CHARSET_FARAWAY eval:html_charset_faraway()
meta HTML_CHARSET_FARAWAY (__HTML_CHARSET_FARAWAY && __HIGHBITS)
describe HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup
tflags HTML_CHARSET_FARAWAY userconf
body HTML_COMMENT_EMAIL eval:html_test('comment_email')
describe HTML_COMMENT_EMAIL HTML comment contains email address
body HTML_COMMENT_EGP eval:html_test('comment_egp')
describe HTML_COMMENT_EGP HTML comment contains non-spam Yahoo! Groups banner
tflags HTML_COMMENT_EGP nice
body HTML_COMMENT_SKY eval:html_test('comment_sky')
describe HTML_COMMENT_SKY HTML comment contains SKY database codes
body HTML_COMMENT_8BITS eval:html_test('comment_8bit')
describe HTML_COMMENT_8BITS HTML comment has 3 consecutive 8-bit characters
body HTML_COMMENT_SAVED_URL eval:html_test('comment_saved_url')
describe HTML_COMMENT_SAVED_URL HTML message is a saved web page
body HTML_EMBEDS eval:html_test('embeds')
describe HTML_EMBEDS HTML with embedded plugin object
body HTML_EVENT eval:html_test('html_event')
describe HTML_EVENT HTML contains auto-executing code
body HTML_EVENT_UNSAFE eval:html_test('html_event_unsafe')
describe HTML_EVENT_UNSAFE HTML contains unsafe auto-executing code
body HTML_FONT_BIG eval:html_test('big_font')
describe HTML_FONT_BIG FONT Size +2 and up or 3 and up
body HTML_FONT_BIG_B eval:html_test('big_font_B')
describe HTML_FONT_BIG_B HTML has a big "font" and "B" tag combo
body HTML_FONT_COLOR_NOHASH eval:html_test('font_color_nohash')
describe HTML_FONT_COLOR_NOHASH HTML font color is missing hash (#) character
body HTML_FONT_COLOR_UNSAFE eval:html_test('font_color_unsafe')
describe HTML_FONT_COLOR_UNSAFE HTML font color not within safe 6x6x6 palette
body HTML_FONT_COLOR_NAME eval:html_test('font_color_name')
describe HTML_FONT_COLOR_NAME HTML font color has unusual name
body HTML_FONT_INVISIBLE eval:html_test('font_invisible')
describe HTML_FONT_INVISIBLE HTML font color is same as background
body HTML_FONT_COLOR_GRAY eval:html_test('font_gray')
describe HTML_FONT_COLOR_GRAY HTML font color is gray
body HTML_FONT_COLOR_RED eval:html_test('font_red')
describe HTML_FONT_COLOR_RED HTML font color is red
body HTML_FONT_COLOR_YELLOW eval:html_test('font_yellow')
describe HTML_FONT_COLOR_YELLOW HTML font color is yellow
body HTML_FONT_COLOR_GREEN eval:html_test('font_green')
describe HTML_FONT_COLOR_GREEN HTML font color is green
body HTML_FONT_COLOR_CYAN eval:html_test('font_cyan')
describe HTML_FONT_COLOR_CYAN HTML font color is cyan
body HTML_FONT_COLOR_BLUE eval:html_test('font_blue')
describe HTML_FONT_COLOR_BLUE HTML font color is blue
body HTML_FONT_COLOR_MAGENTA eval:html_test('font_magenta')
describe HTML_FONT_COLOR_MAGENTA HTML font color is magenta
body HTML_FONT_COLOR_UNKNOWN eval:html_test('font_color_unknown')
describe HTML_FONT_COLOR_UNKNOWN HTML font color is unknown to us
body HTML_FONT_FACE_BAD eval:html_test('font_face_bad')
describe HTML_FONT_FACE_BAD HTML font face is not a word
body HTML_FONT_FACE_ODD eval:html_test('font_face_odd')
describe HTML_FONT_FACE_ODD HTML font face is not a commonly used face
body HTML_FONT_FACE_CAPS eval:html_test('font_face_caps')
describe HTML_FONT_FACE_CAPS HTML font face has excess capital characters
body HTML_FORM_ACTION_MAILTO eval:html_test('form_action_mailto')
describe HTML_FORM_ACTION_MAILTO HTML includes a form which sends mail
# HTML_IMAGE_AREA - lots of image area (absolute)
# note that: 640x480 = 307200, 800x600 = 480000, 1024x768=786432
body HTML_IMAGE_AREA_04 eval:html_range('image_area','400000','500000')
body HTML_IMAGE_AREA_05 eval:html_range('image_area','500000','600000')
body HTML_IMAGE_AREA_06 eval:html_range('image_area','600000','700000')
body HTML_IMAGE_AREA_07 eval:html_range('image_area','700000','800000')
body HTML_IMAGE_AREA_08 eval:html_range('image_area','800000','900000')
body HTML_IMAGE_AREA_09 eval:html_range('image_area','900000')
describe HTML_IMAGE_AREA_04 HTML has 4-5 kilopixels of images
describe HTML_IMAGE_AREA_05 HTML has 5-6 kilopixels of images
describe HTML_IMAGE_AREA_06 HTML has 6-7 kilopixels of images
describe HTML_IMAGE_AREA_07 HTML has 7-8 kilopixels of images
describe HTML_IMAGE_AREA_08 HTML has 8-9 kilopixels of images
describe HTML_IMAGE_AREA_09 HTML has over 9 kilopixels of images
# HTML_IMAGE_ONLY - not much text with images (absolute)
body HTML_IMAGE_ONLY_02 eval:html_image_only('0000','0200')
body HTML_IMAGE_ONLY_04 eval:html_image_only('0200','0400')
body HTML_IMAGE_ONLY_06 eval:html_image_only('0400','0600')
body HTML_IMAGE_ONLY_08 eval:html_image_only('0600','0800')
body HTML_IMAGE_ONLY_10 eval:html_image_only('0800','1000')
body HTML_IMAGE_ONLY_12 eval:html_image_only('1000','1200')
describe HTML_IMAGE_ONLY_02 HTML has images with 0-200 bytes of words
describe HTML_IMAGE_ONLY_04 HTML has images with 200-400 bytes of words
describe HTML_IMAGE_ONLY_06 HTML has images with 400-600 bytes of words
describe HTML_IMAGE_ONLY_08 HTML has images with 600-800 bytes of words
describe HTML_IMAGE_ONLY_10 HTML has images with 800-1000 bytes of words
describe HTML_IMAGE_ONLY_12 HTML has images with 1000-1200 bytes of words
# HTML_IMAGE_RATIO - more image area than text (ratio)
body HTML_IMAGE_RATIO_02 eval:html_image_ratio('0.000','0.002')
body HTML_IMAGE_RATIO_04 eval:html_image_ratio('0.002','0.004')
body HTML_IMAGE_RATIO_06 eval:html_image_ratio('0.004','0.006')
body HTML_IMAGE_RATIO_08 eval:html_image_ratio('0.006','0.008')
body HTML_IMAGE_RATIO_10 eval:html_image_ratio('0.008','0.010')
body HTML_IMAGE_RATIO_12 eval:html_image_ratio('0.010','0.012')
body HTML_IMAGE_RATIO_14 eval:html_image_ratio('0.012','0.014')
describe HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_10 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_12 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_14 HTML has a low ratio of text to image area
body HTML_JAVASCRIPT eval:html_test('javascript')
describe HTML_JAVASCRIPT JavaScript code
body HTML_LINK_CLICK_HERE eval:html_eval('anchor_text', '=~ /click\s+here/i')
describe HTML_LINK_CLICK_HERE HTML link text says "click here"
body HTML_LINK_CLICK_CAPS eval:html_eval('anchor_text', '=~ /CLICK/')
describe HTML_LINK_CLICK_CAPS HTML link text says "CLICK"
# many spammers seem to do this nowadays (and probably track
# their customers with it). (contrib: WW)
body HTML_RELAYING_FRAME eval:html_test('relaying_frame')
describe HTML_RELAYING_FRAME Frame wanted to load outside URL
body HTML_WEB_BUGS eval:html_test('web_bugs')
describe HTML_WEB_BUGS Image tag with an ID code to identify you
body HTML_WIN_BLUR eval:html_test('window_blur')
describe HTML_WIN_BLUR Javascript to move windows around
body HTML_WIN_FOCUS eval:html_test('window_focus')
describe HTML_WIN_FOCUS Javascript to change window focus
body HTML_WIN_OPEN eval:html_test('window_open')
describe HTML_WIN_OPEN Javascript to open a new window
body HTML_WITH_BGCOLOR eval:html_test('bgcolor_nonwhite')
describe HTML_WITH_BGCOLOR HTML mail with non-white background
body HTML_TAG_BALANCE_A eval:html_tag_balance('a', '< 0')
describe HTML_TAG_BALANCE_A HTML has excess "a" close tags
body HTML_TAG_BALANCE_FONT eval:html_tag_balance('font', '< 0')
describe HTML_TAG_BALANCE_FONT HTML has excess "font" close tags
body HTML_TAG_BALANCE_HTML eval:html_tag_balance('html', '!= 0')
describe HTML_TAG_BALANCE_HTML HTML has unbalanced "html" tags
body HTML_TAG_BALANCE_BODY eval:html_tag_balance('body', '!= 0')
describe HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags
body HTML_TAG_BALANCE_HEAD eval:html_tag_balance('head', '!= 0')
describe HTML_TAG_BALANCE_HEAD HTML has unbalanced "head" tags
body HTML_TAG_BALANCE_TABLE eval:html_tag_balance('table', '> 0')
describe HTML_TAG_BALANCE_TABLE HTML is missing "table" close tags
body HTML_TAG_EXISTS_BASE eval:html_tag_exists('base')
describe HTML_TAG_EXISTS_BASE HTML has "base" tags
body HTML_TAG_EXISTS_PARAM eval:html_tag_exists('param')
describe HTML_TAG_EXISTS_PARAM HTML has "param" tag
body HTML_TAG_EXISTS_TBODY eval:html_tag_exists('tbody')
describe HTML_TAG_EXISTS_TBODY HTML has "tbody" tag
body HTML_TITLE_EMPTY eval:html_eval('title_text', '!~ /\S/s')
describe HTML_TITLE_EMPTY HTML title contains no text
body HTML_TITLE_UNTITLED eval:html_eval('title_text', '=~ /Untitled/i')
describe HTML_TITLE_UNTITLED HTML title contains "Untitled"
###########################################################################
# rawbody HTML tests
rawbody SPAM_FORM /CHANGE EMAIL ADDRESS IN ACTION OF FORM/
describe SPAM_FORM Form for changing email address
rawbody SPAM_FORM_RETURN /return validate_form/
describe SPAM_FORM_RETURN Form for checking email address
rawbody SPAM_FORM_ACTION /action="\&\#\d+;\&\#\d+;\&\#\d+;\&\#\d+;/i
describe SPAM_FORM_ACTION Obfuscated action attribute in HTML form
rawbody HIDE_WIN_STATUS /<[^>]+onMouseOver=[^>]+window\.status=/i
describe HIDE_WIN_STATUS Javascript to hide URLs in browser
rawbody LINK_TO_NO_SCHEME /\s+href=['"]?www\./i
describe LINK_TO_NO_SCHEME Contains link without http:// prefix