First a few rules to match non-spam:
body SIGNATURE_DELIM /^-- $/
describe SIGNATURE_DELIM Standard signature delimiter present
While there would be no effort in faking this, it might take a while for some of the
spammers to catch on.
uri HTTPS_URL /https:\/\//
describe HTTPS_URL Spammers don't often use HTTPS
Has anyone seen spam that uses an HTTPS URI?
header MAJORDOMO Subject =~ /Majordomo (?:request )?results/
describe MAJORDOMO From Majordomo
Majordomo results should definetly not be marked as spam, and spammers are probably
unlike to stick "Majordomo results" in their subject.
And now a bunch of spam matching rules:
header PLEASE_READ Subject =~ /please read/i
describe PLEASE_READ Please read this! Please oh please oh please!
header SUSPICIOUS_FROM From =~
/(?:sales|money|credit|alert|market|affiliat|unsubscribe|offer|important)/i
describe SUSPICIOUS_FROM Suspicious phrase in "From" header
body READ_TO_END /read this (?:e-?mail )?to the end/i
describe READ_TO_END You'd better read all of this spam!
body DONT_DELETE /(?:don'?t delete this|do not delete)/i
describe DONT_DELETE Don't delete me! Nooooo!!!!
body REAL_THING /the real thing/i
describe REAL_THING It's the real thing, baby!
body WORKED_FOR_ME /worked for me/i
describe WORKED_FOR_ME It worked for the spammer, why not for you?
body ALL_NATURAL /100% natural/i
describe ALL_NATURAL Spam is 100% natural?!
body MONEY_BACK /money back guarantee/i
describe MONEY_BACK Money back guarantee.
body NO_CATCH /there is no catch/i
describe NO_CATCH There is no catch.
body NO_OBLIGATION /no obligation/i
describe NO_OBLIGATION There is no obligation.
body NO_DISSAPOINTMENT /You won'?t be diss?apointed/i
describe NO_DISSAPOINTMENT You won't be dissapointed.
body SERIOUS_ONLY /Serious (?:Enqueries|Inquiries) Only/i
describe SERIOUS_ONLY Serious Enqueries Only.
body RISK_FREE /risk free/i
describe RISK_FREE Risk free. Suuurreeee....
# "as seen on:" or "as seen on ..."
body AS_SEEN_ON /as seen
on(?::|\s*(?:NATIONAL|TV|ABC|NBC|CBS|CNN|Oprah|USA Today|48 Hours|New York Times))/i
describe AS_SEEN_ON As seen on national TV!
body NOT_INTENDED /not intended for residents ?(:of|in)/i
describe NOT_INTENDED Not intended for residents of XYZ.
# This phrase appears in many pyramid scheme mails in which
# "My Wife Jody" testimonials are absent
body COPY_ACCURATELY /copy.{1,10}name?.{1,10}address.{1,10}ACCURATELY/i
describe COPY_ACCURATELY Common pyramid scheme phrase (1)
body SEE_FOR_YOURSELF /See (?:for|it) yourself/i
describe SEE_FOR_YOURSELF See for yourself
# How many non-spammers send HTML mails that use Flash?
rawbody EMBEDED_OBJECT /<(?:object|embed)/i
describe EMBEDED_OBJECT Flash or similar plugin in HTML
uri BIZ_HTTP_ADDR /https?\:\/\/[^\/]+\.biz\//i
describe BIZ_HTTP_ADDR URI with a .biz domain
--
Visit http://dmoz.org, the world's | Give a man a match, and he'll be warm
largest human edited web directory. | for a minute, but set him on fire, and
| he'll be warm for the rest of his life.
[EMAIL PROTECTED] ICQ: 132152059 |
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
