SARE Rules

If the ruleset name ends in "post25x", it contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set.

For auto-updates: RulesDuJour is a bash script intended to automatically download new versions of SpamAssassin rulesets as the authors release new versions.

Also available for auto-updates:Apache SpamAssassin's sa-update How to update SARE rulesets via Apache SpamAssassin's sa-update

Download Policy: You can download each and every ruleset once per 24 hour period per IP address. If you try to download the rulesets too often, you will receive an error message. If you are downloading rulesets from many locations behind a proxy, please set up your own ruleset repository for your clients. Again: One single download of every file per 24 hours per IP address.

*7x_sare_redirect_.cf**
Description:	Rules to detect commonly abused redirectors and uri obfuscation techniques.
Created by:	Jesse Houwing /w thanks to Loren Wilton
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add either "SARE_REDIRECT" (pre3.0.0) or "SARE_REDIRECT_POST300" (post3.0.0) to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
Note:	Read the changelog in the set itself. This set contains two HAM rules. These are disabled by default, you'll find them at the bottom of the set. The ruleset "sare_redirect" is available in two versions. The version that ends in post3.0.0 contains features that are supported in SpamAssassin 3.0 or higher. If you are running an earlier version of SpamAssassin please use the pre3.0.0 version of that set. Do not use both rulesets!
Sample Results:	To be done.

*70_sare_evilnum.cf**
Description:	Addresses and phone numbers harvested from spam
Created by:	Matt Yackley with contributions (too many to list!)
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add one or more of "SARE_EVILNUMBERS0", "SARE_EVILNUMBERS1", or "SARE_EVILNUMBERS2", to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_evilnum0.cf http://www.rulesemporium.com/rules/70_sare_evilnum1.cf http://www.rulesemporium.com/rules/70_sare_evilnum2.cf
PGP/GPG signature:	signed by Matt Yackley, key id 0x1129F0D3: http://www.rulesemporium.com/rules/70_sare_evilnum0.cf.sig http://www.rulesemporium.com/rules/70_sare_evilnum1.cf.sig http://www.rulesemporium.com/rules/70_sare_evilnum2.cf.sig
Note:	There are several ruleset files in this collection: 70_sare_evilnum0.cf contains those SARE_EN_* rules which in all SARE mass-check testing hit ONLY spam. Unlike 70_sare_evilnum0.cf, the 70_sare_evilnum1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. However most would consider these ham messages as spam. Note: If you use this file 1, you should also use file 0 above. 70_sare_evilnum2.cf contains only rules which did not hit any spam or ham during the last masscheck, if you use this file you should also use file 0 & file 1.
Sample Results:	To be done.

70_sare_bayes_poison_nxm.cf
Description:	Bayes poison using lists of words with equal length
Created by:	Jesse Houwing
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add "SARE_BAYES_POISON_NXM" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf
Note:	N/A
Sample Results:	included in file

*70_sare_html.cf**
Description:	70_sare_html*.cf rulesets contain HTML coding rules that detect various spammer tricks applied through HTML coding within messages.
Created by:	Contributions from many SARE members; published by Bob Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Version:	01.03.10
Auto-update:	Yes
RDJ usage:	add "SARE_HTML" to TRUSTED_RULESETS for the combined file (sare_html 0-3). For single rulesets add one or more of "SARE_HTML0", "SARE_HTML1", "SARE_HTML2", "SARE_HTML3" or "SARE_HTML_ENG" etc. to TRUSTED_RULESETS (more info)
Available at:	http://www.rulesemporium.com/rules/70_sare_html0.cf http://www.rulesemporium.com/rules/70_sare_html1.cf http://www.rulesemporium.com/rules/70_sare_html2.cf http://www.rulesemporium.com/rules/70_sare_html3.cf http://www.rulesemporium.com/rules/70_sare_html.cf (the four files above combined into one file) http://www.rulesemporium.com/rules/70_sare_html4.cf http://www.rulesemporium.com/rules/70_sare_html_arc.cf http://www.rulesemporium.com/rules/70_sare_html_eng.cf http://www.rulesemporium.com/rules/70_sare_html_x30.cf http://www.rulesemporium.com/rules/70_sare_html_x31.cf
PGP signatures:	signed by Robert Menschel, key id 0x38AA1D47: http://www.rulesemporium.com/rules/70_sare_html0.cf.sig http://www.rulesemporium.com/rules/70_sare_html1.cf.sig http://www.rulesemporium.com/rules/70_sare_html2.cf.sig http://www.rulesemporium.com/rules/70_sare_html3.cf.sig http://www.rulesemporium.com/rules/70_sare_html.cf.sig http://www.rulesemporium.com/rules/70_sare_html4.cf.sig http://www.rulesemporium.com/rules/70_sare_html_arc.cf.sig http://www.rulesemporium.com/rules/70_sare_html_eng.cf.sig http://www.rulesemporium.com/rules/70_sare_html_x30.cf.sig http://www.rulesemporium.com/rules/70_sare_html_x31.cf.sig
Note:	There are several ruleset files in this collection: 70_sare_html0.cf contains those SARE_HTML_* rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four SARE_HTML_* rulesets for use. Unlike 70_sare_html0.cf, the 70_sare_html1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are excessively sensitive to false positives may want to exclude this ruleset, pick and choose among its rules, or lower their scores. Note: If you use this file 1, you should also use file 0 above. 70_sare_html2.cf contains only rules which test for various types of obfuscation within HTML coding. This subset of SARE_HTML_* rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead. 70_sare_html3.cf contains a subset of SARE_HTML_* rules which either hit a significant amount of ham during SARE mass-check tests, or hit so few spam that we cannot be confident that our scores are fully appropriate. Systems which are very sensitive to false positives and/or to computer resource requirements should probably NOT install this ruleset. 70_sare_html4.cf contains a subset of SARE_HTML_* rules which hit a lot of spam, but also hit large amounts of ham, over 100 ham in our corpus checks. We score these rules low to avoid FPs, but systems which are highly sensitive to FPs and/or computer resource requirements should not use this file. 70_sare_html_eng.cf contains a subset of SARE_HTML_* rules which we believe are useful for systems that expect ham only in the English language, and not in other languages. These rules are liable to FP against non-spam messages in languages that use accented characters. 70_sare_html_x30.cf contains a subset of SARE_HTML_* rules which have been incorporated into SpamAssassin version 3.0.0. Systems which are running this latest version should not use this file. This file is appropriate for systems running SA 2.6x or 2.5x. 70_sare_html_arc.cf contains a subset of SARE_HTML_* rules which seem to no longer be useful. They no longer hit enough spam to warrant their use. SARE will test these rules regularly, and will revive those that become useful again by moving them to the other files. Only the very most agressive of systems should use this file. The first four files are also available combined into one file as 70_sare_html.cf (no digit)
Sample Results:	masscheck for html0 thru html3 (2004-06-12)

70_sare_header?.cf

Description:

70_sare_header?.cf rulesets contain Header rules that are not found in other SARE rulesets.

Created by:

Contributions from many SARE members; published by Bob Menschel

License Type:

Artistic/GPL dual

Status:

Active *

Last update:

2006-05-21

Version:

01.03.21

Auto-update:

Yes

RDJ usage:

add "SARE_HEADER" to TRUSTED_RULESETS for the combined file (sare_header 0-3). For single rulesets add one or more of "SARE_HEADER0", "SARE_HEADER1", "SARE_HEADER2", "SARE_HEADER3", "SARE_HEADER_ENG", "SARE_HEADER_X264_X30", "SARE_HEADER_X30" to TRUSTED_RULESETS

Available at:

PGP signatures:

Note:

There are nine ruleset files in this collection:

70_sare_header0.cf contains those header rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four header rulesets for use.
Unlike 70_sare_header0.cf, the 70_sare_header1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. This file also contains rules which hit only spam, but fewer than 10 spam in our mass-check tests. Systems which are highly sensitive to false positives and/or tight on resources may want to exclude this ruleset, pick and choose among its rules, or lower their scores.
70_sare_header2.cf contains only rules which should never hit ham, but that do not currently hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead.
70_sare_header3.cf contains a subset of header rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should probably NOT install this ruleset.
70_sare_header_eng.cf contains header rules which work well where English is the only expected language, but that may cause false positives in systems which receive a significant number of emails in other languages.
70_sare_header_x264_x30.cf contains header rules which have been merged into the SpamAssassin distribution rule set in version 2.64. These rules are also part of the distribution rule set in version 3.0.0. Systems which have upgraded to either of these two versions should not use this file. Systems running any 2.5x or 2.60 through 2.63 version should benefit from these rules.
70_sare_header_x30.cf contains header rules which have been merged into the SpamAssassin distribution rule set in version 3.0.0. Systems which have upgraded to this version should not use this file. Systems running any 2.5x or 2.6x version should benefit from these rules.
70_sare_header_x31.cf contains header rules which have been merged into the SpamAssassin distribution rule set in version 3.1.0. Systems which have upgraded to this version should not use this file. Systems running any 2.5x, 2.6x, or 3.0.x version should benefit from these rules.
70_sare_header_arc.cf contains header rules which used to work, but which no longer hit spam, or that hit too many ham. SARE will continue testing these rules and will reactivate any that again become productive. This rules file should be used only by the most aggressive systems with available resources.

70_sare_header.cf (with no digit) contains the first four files combined together.

Sample Results:

masscheck of file 0 (2004-08-21)
masscheck of file 1 (2004-08-21)
masscheck of file 3 (2004-08-21)
masscheck of the English language file (2004-08-21)
masscheck of the Version 2.64/3.0 duplicate rule file (2004-08-21)
masscheck of the Version 3.0 duplicate rule file (2004-08-21)

70_sare_specific.cf
Description:	Rule set which flags specific spam and/or spam from specific spammers
Created by:	Bob Menschel, with help from other SARE ninjas
License Type:	Artistic/GPL dual
Status:	Active *
Last update:	2006-05-27
Version:	01.03.13
Auto-update:	Yes
RDJ usage:	add "SARE_SPECIFIC" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_specific.cf
Note:	Incorporates Chris Santerre's Mr. Wiggly rules
Sample Results:	Masscheck results (2004-08-18)

70_sare_ratware.cf
Description:	Needs description
Created by:
License Type:	Artistic/GPL dual
Status:	Obsolete *
Auto-update:	No
Available at:	http://www.rulesemporium.com/rules/70_sare_ratware.cf
Note:	This file has mostly been split out into other, newer rule set files. The last two rules will be migrated this month (September), and then the rule set file deleted.

70_sare_adult.cf
Description:	SARE Adult rules are designed to catch spam with "Adult" material.
Created by:	Matt Yackley with contributions (too many to list!)
License Type:	Artistic/GPL dual
Status:	Active *
Version:	01.02.01
Auto-update:	Yes
RDJ usage:	add "SARE_ADULT" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_adult.cf
Note:	N/A
Sample Results:	Masscheck results (2004-04-09)

*7x_sare_bml_learn_.cf**
Description:	SARE "BML" rules are designed to catch "business, marketing and educational" spam.
Created by:	Matt Yackley with contributions (too many to list!)
License Type:	Artistic/GPL dual
Status:	Active *
Version:	01.02.01
Auto-update:	Yes
RDJ usage:	add "SARE_BML" (post25x) or "SARE_BML_PRE25X" (pre25x) to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf http://www.rulesemporium.com/rules/71_sare_bml_pre25x.cf
Note:	The ruleset "biz_market_learn" is available in two versions. The version that ends in post25x contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set. Do not use both rulesets!
Sample Results:	Masscheck results for post25x (2004-05-08) Masscheck results for pre25x (2004-04-13)

*99_sare_fraud_.cf**
Description:	SARE Fraud rules are designed to catch "Nigerian 419", "International Lotto", etc. type scams.
Created by:	Matt Yackley (inspired by the work of Carl Friend, w/ submissions from Bob Menschel)
License Type:	Artistic/GPL dual
Status:	Active *
Version:	01.03.02
Auto-update:	Yes
RDJ usage:	add "SARE_FRAUD" (post25x) or "SARE_FRAUD_PRE25X" (pre25x) to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf http://www.rulesemporium.com/rules/99_sare_fraud_pre25x.cf
Note:	The ruleset "fraud" is available in two versions. The version that ends in post25x contains features that are supported in SpamAssassin 2.5x or higher. If you are running an earlier version of SpamAssassin please use the "pre25x" version of that set. Do not use both rulesets!
Sample Results:	Masscheck results for post25x (2004-04-11) Masscheck results for pre25x (2004-04-13)

70_sare_spoof.cf
Description:	70_sare_spoof.cf tries to detect common spoofing attempts by spammers. Many use a Message-ID of one provider but the message was never passed through the suggested system.
Created by:	Fred Tarasevicius & Robert Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add "SARE_SPOOF" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_spoof.cf
Note:	N/A
Sample Results:	Masscheck results (2004-08-21)

70_sare_random.cf
Description:	70_sare_random.cf tries to detect common mis-fires on bulk mail software. Many signs are found like: %RND_NUMBER, etc.
Created by:	Fred Tarasevicius with contributions (too many to list!)
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add "SARE_RANDOM" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_random.cf
Note:	N/A
Sample Results:	Masscheck results (2004-08-21)

70_sc_top200.cf
Description:	70_sc_top200.cf is the Top 200 spam relays condensed into as few rules as possible. If you use this, please see notes below.
Created by:	Fred Tarasevicius
License Type:	Artistic/GPL dual
Status:	Active *
Last update:	see note below
Version:	01.00.00
Auto-update:	Yes - Mandatory
RDJ usage:	add "SARE_SPAMCOP_TOP200" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sc_top200.cf
Note:	Do not use these if you use SpamCop.net's blacklist (Default with net enabled on 2.63). This ruleset is created from that data. You must use some type of update script or manually update these often. The Top 200 list is dynamically created once a day and these rules are generated from that data. The rules are automatically uploaded to this server at random times monday-friday.
Sample Results:	Dynamic data does not produce good results, this data is the top 200 and as long as you update, it should work very good for you.

70_sare_oem.cf
Description:	70_sare_oem.cf tries to detect people selling OEM software to consumers.
Created by:	Fred Tarasevicius w/ Additions by Jesse Houwing
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add "SARE_OEM" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_oem.cf
Note:	N/A
Sample Results:	Masscheck results (2004-08-21)

*70_sare_genlsubj.cf**
Description:	70_sare_genlsubj*.cf rulesets contain Subject header rules that are not found in other SARE rulesets.
Created by:	Contributions from many SARE members; published by Bob Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add one or more of "SARE_GENLSUBJ0", "SARE_GENLSUBJ1", "SARE_GENLSUBJ2", "SARE_GENLSUBJ3", "SARE_GENLSUBJ4", "SARE_GENLSUBJ_ENG" and/or (for files 0 through 3 combined) "SARE_GENLSUBJ" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf http://www.rulesemporium.com/rules/70_sare_genlsubj4.cf http://www.rulesemporium.com/rules/70_sare_genlsubj_arc.cf http://www.rulesemporium.com/rules/70_sare_genlsubj_eng.cf http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf http://www.rulesemporium.com/rules/70_sare_genlsubj.cf
PGP signatures:	signed by Robert Menschel, key id 0x38AA1D47: http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj4.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj_arc.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj_eng.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj_x30.cf.sig http://www.rulesemporium.com/rules/70_sare_genlsubj.cf.sig
Note:	There are nine ruleset files in this collection: 70_sare_genlsubj0.cf contains those SARE_SUB_* rules which in all mass-check testing hit ONLY spam. More, as of version 01.02.00, only those rules that hit "signficant" spam are included. This is the safest and most productive of the seven SARE_SUB_* rulesets for use. However, systems that serve specific industries should pay attention to the subject rules included and remove those that may cause false positives in your industries. Unlike 70_sare_genlsubj0.cf, the 70_sare_genlsubj1.cf ruleset contains rules which a) do (or in the past have) hit ham during SARE mass-check tests (The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900), b) hit only spam but have never hit more than 10 spam in any single mass-check run, or c) hit only spam but do not currently hit 10 spam across all recent mass-check runs. Systems which are excessively sensitive to false positives and/or have resource problems may want to exclude this ruleset, pick and choose among its rules, or lower their scores. 70_sare_genlsubj2.cf contains only rules which test for obfuscation within subject headers. These rules have been examined to avoid false positives, to hit only on their obfuscated targets. This file is therefore considered "safe." However, this subset of SARE_SUB__OB rules do not hit any emails during SARE mass-check testing against current corpora. Therefore, systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset to avoid its regex overhead. 70_sare_genlsubj3.cf contains a subset of SARE_SUB_* rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should NOT install this ruleset. However, these rules are included in this file because SARE members find them useful. Therefore aggressively anti-spam systems that do not need to be conservative in their spam analysis may wish to include this file. 70_sare_genlsubj4.cf contains a subset of SARE_SUB_* rules which hit lots of ham during SARE mass-check tests. Only the very most aggressive systems, those highly tolerant of false positives, should use this rule set. These rules are included in this file because SARE members found them useful, and don't yet feel justified to completely archive them. Therefore aggressively anti-spam systems that do not need to be conservative in their spam analysis may wish to include this file. 70_sare_genlsubj_eng.cf contains a subset of SARE_SUB_* rules which seem to be language-dependent, specifically dependent upon the English languages. Systems that receive almost exclusively English emails can benefit greatly from this file. However, if run against emails written in a different language, these rules might be more or less likely to hit spam and/or ham. SARE doesn't have enough non-English spam to determine what might happen. Therefore, if your inbound emails contain significant non-english messages, you should avoid this file. 70_sare_genlsubj_x30.cf contains SARE_SUB_* rules which have been incorporated into the distribution rules for SpamAssassin version 3.0.0, or which duplicate rules within that distribution set. Systems that have implemented SpamAssassin 3.0.0 should not use the rules in this file. 70_sare_genlsubj_arc.cf contains a subset of SARE_SUB_* rules which used to hit spam, but which during recent mass-check runs have not hit any emails at all (or hit more ham than spam). SARE will retest these regularly, and move those that again begin to hit spam into the other files within this set. Systems with plenty of horsepower may wish to include this file, to gain benefits faster if/when these rules begin to hit spam again. Systems that are the least bit sensitive to resource usage should avoid tihs file. 70_sare_genlsubj.cf (with no digit or suffix) contains the first four files combined together.
Sample Results:	masscheck of file 0 (2004-08-19) masscheck of file 1 (2004-08-19) masscheck of file 3 (2004-08-19) masscheck of the English language file (2004-08-19) masscheck of the Version 3.0 duplicate rule file (2004-08-19)

70_sare_highrisk.cf
Description:	70_sare_highrisk.cf is developed because there are spam signs which readily detect spam, and which in our testing do not flag significant ham, but theoretically there is no reason for such rules to not flag ham. We therefore consider these to be "high risk" rules, useful for many systems at this time, but not suitable for systems that must be very conservative and cautious in their spam detection.
Created by:	Robert Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes.
RDJ usage:	add "SARE_HIGHRISK" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_highrisk.cf
Note:	Because of the risk factor, if you use these rules, and if you use an auto-update script, you should include this script in that auto-update. This will automate any decrease in score or rule elimination required by the discovery of new hams that match the rule. As of May 28 2004, there is one rule in this rule set, moved here from the spoof rule set.
Sample Results:	Masscheck results (2004-05-25)

70_sare_unsub.cf
Description:	70_sare_unsub.cf looks for common unsubscribe phrases and codes in spam.
Created by:	Chris Santerre
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes.
RDJ usage:	add "SARE_UNSUB" to TRUSTED_RULESETS
Available at:	http://www.rulesemporium.com/rules/70_sare_unsub.cf
Note:	Great results on this one. Please report any false positives to csanterre@rulesemporium.com
Sample Results:	Masscheck results (2004-08-21) (Out-dated)

70_sare_uri.cf
Description:	The 70_sare_uri*.cf files look for spamsign in URI links within emails. It is not intended to replace SURBL or BigEvil, but instead will use characteritics that these domain-based tests cannot track.
Created by:	Bob Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Last update:	2005-10-05
Version:	01.01.04
Auto-update:	Yes. Note: File names have changed with version 01.01.00 -- If you use RDJ for auto-updating, please update your RDJ parameters.
RDJ usage:	add one or more of "SARE_URI0", "SARE_URI1", "SARE_URI3", or "SARE_URI_ENG" to TRUSTED_RULESETS
Available at http://www.rulesemporium.com/rules:	70_sare_uri0.cf 70_sare_uri1.cf 70_sare_uri2.cf 70_sare_uri3.cf 70_sare_uri4.cf 70_sare_uri_eng.cf 70_sare_uri_x31.cf
PGP signatures at http://www.rulesemporium.com/rules:	70_sare_uri0.cf.sig 70_sare_uri1.cf.sig 70_sare_uri2.cf.sig 70_sare_uri3.cf.sig 70_sare_uri4.cf.sig 70_sare_uri_eng.cf.sig 70_sare_uri_x31.cf.sig
Note:	There are seven ruleset files in this collection: 70_sare_uri0.cf contains those uri rules which in all SARE mass-check testing hit ONLY spam. This is the safest of the four uri rulesets for use. Unlike 70_sare_uri0.cf, the 70_sare_uri1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. This file also contains rules which hit only spam, but fewer than 10 spam in our mass-check tests. Systems which are highly sensitive to false positives and/or tight on resources may want to exclude this ruleset, pick and choose among its rules, or lower their scores. 70_sare_uri2.cf contains a subset of uri rules which hit no spam or han in current SARE mass-check tests, but we're reasonably confident that if they do hit emails, those emails will be spam. Systems which are very tight on resources should avoid this file, but others may occasionally benefit from this file. 70_sare_uri3.cf contains a subset of uri rules which hit a significant amount of ham during SARE mass-check tests. Systems which are very sensitive to false positives should probably NOT install this ruleset. 70_sare_uri4.cf contains a subset of uri rules which hit lots of ham during SARE mass-check tests. Systems which are sensitive to false positives definitely should NOT install this ruleset. This rule set file is for only the most aggressive of systems. 70_sare_uri_eng.cf contains uri rules which work well where English is the only expected language, but that may cause false positives in systems which receive a significant number of emails in other languages. 70_sare_uri_x31.cf contains uri rules which have been incorporated into SpamAssassin 3.1.0 (or replaced by rules within SA 3.1.0). This file can be used by systems still running SpamAssassin 3.0.x or earlier.

70_sare_whitelist.cf and derivatives
Description:	Whitelist directives used to whitelist newsletters and mailing lists that are controlled/monitored to be free of spam, but might occasioanlly be flagged as spam by SpamAssassin because of "spammy" contents.
Created by:	Bob Menschel, RMsa@menschel.net
License Type:	Artistic/GPL dual
Status:	Active *
Auto-update:	Yes
RDJ usage:	add "SARE_WHITELIST", "SARE_WHITELIST_SPF", "SARE_WHITELIST_RCVD", or "SARE_WHITELIST_PRE30" to TRUSTED_RULESETS.
Available at:	http://www.rulesemporium.com/rules/70_sare_whitelist.cf. This file is suitable for use by SpamAssassin version 3.0.x, or 3.1.0 or higher without network tests. http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf and http://www.rulesemporium.com/rules/70_sare_whitelist_spf.cf. These two files (new with version 01.00.06) are intended for SpamAssassin version 3.1.0 or higher, with network and SPF tests enabled. Any whitelist which can be validated using SPF will be found in whitelist_spf.cf, and the remainder are in whitelist_rcvd.cf. Systems older than 3.1.0 and systems without network tests or without SPF modules cannot use whitelist_spf.cf, and therefore should use the primary file above. http://www.rulesemporium.com/rules/70_sare_whitelist_pre30.cf. The primary file (listed first above) includes in-line commenting which is valid in SpamAssassin 3.0.0 and newer, but wasn't valid in versions 2.5x or 2.6x. Systems with versions of SpamAssassin older than 3.0.0 should instead use this version of the file, which has those comment lines removed.
Note:	Please read the internal documentation. Note that since this file contains whitelist_from_rcvd directives, and not regex-based rules, this file or extracts from it could be used within an individual's user_prefs file. Please send recommendations or complaints to Bob Menschel, RMsa@menschel.net
Sample Results:	Not available (have not been able to figure out how to mass-check whitelist rules).

70_sare_obfu.cf
Description:	The 70_sare_obfu*.cf files look for obfuscation within emails. It looks for the various tricks spammers use to hide their message from spam filters, while keeping their messages readable to humans. It treats these as spamsign.
Created by:	Bob Menschel
License Type:	Artistic/GPL dual
Status:	Active *
Last update:	2005-10-01
Version:	01.00.08
Auto-update:	Yes.
RDJ usage:	add either "SARE_OBFU" (for sets 0 and 1), or one or more of "SARE_OBFU0", "SARE_OBFU1", "SARE_OBFU2", or "SARE_OBFU3" to TRUSTED_RULESETS
Available at http://www.rulesemporium.com/rules:	70_sare_obfu.cf 70_sare_obfu0.cf 70_sare_obfu1.cf 70_sare_obfu2.cf 70_sare_obfu3.cf 70_sare_obfu4.cf 70_sare_obfu_x31.cf
PGP signatures at http://www.rulesemporium.com/rules:	70_sare_obfu.cf.sig 70_sare_obfu0.cf.sig 70_sare_obfu1.cf.sig 70_sare_obfu2.cf.sig 70_sare_obfu3.cf.sig 70_sare_obfu4.cf.sig 70_sare_obfu_x31.cf.sig
Note:	There are seven ruleset files in this collection: 70_sare_obfu0.cf contains those obfu rules which in all SARE mass-check testing hit ONLY spam, and a significant amount of spam. This is the safest of the four obfu rulesets for use. Unlike 70_sare_obfu0.cf, the 70_sare_obfu1.cf ruleset contains rules which do (or in the past have) hit ham during SARE mass-check tests, and/or which hit too few spam to qualify for file 0. The S/O calculated by SA's hit-frequencies scripts are all at or above 0.900. Systems which are highly sensitive to false positives and/or tight on resources may want to exclude this ruleset, pick and choose among its rules, or lower their scores. 70_sare_obfu2.cf contains a subset of obfu rules which seem like they would be useful in file 0 or file 1, but which do not currently hit any spam. Systems which want to be very aggressive and proactive against spam, and which have lots of available computer resources, may want to include this file. Systems which are in the least bit concerned about system resources should avoid this file. 70_sare_obfu3.cf contains a subset of obfu rules which hit a significant amount of ham during SARE mass-check tests. Systems which are sensitive to false positives or tight on system resources should probably NOT install this ruleset. 70_sare_obfu4.cf contains a subset of obfu rules which hit a lot of ham, and should be used by only the most aggressive sites. 70_sare_obfu.cf contains all the rules in files 0 and 1 above. It enables systems which want both of these files to use them via just one file. Note that unlike most of our multi-file rule sets, this 70_sare_obfu.cf file does not include files 2 or 3, because of the significant resources required to run these obfuscation rules. 70_sare_obfu_x31.cf contains a subset of SARE_OBFU_* rules which have been incorporated into SpamAssassin version 3.1.0. Systems which are running this latest version should not use this file. This file is appropriate for systems running SA 3.0.x or earlier.

70_sare_stocks.cf
Description:	Rulename.cf description - This is a good set of rules for stock spams.
Created by:	Doc Schneider
License Type:	Artistic/GPL dual
Status:	Active *
Last update:	08/18/2007
Version:	01.01.02
Auto-update:	Yes
Available at:	http://www.rulesemporium.com/rules/70_sare_stocks.cf
Note:	NOTICE: You need to upgrade RulesDuJour before adding this rule. Please read the internal documentation.
RDJ usage:	add "SARE_STOCKS" to TRUSTED_RULESETS