# SARE Header Abuse Ruleset for SpamAssassin -- file 4
# Version:  01.03.21
# Created:  2004-04-25
# Modified: 2006-05-21
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.17  May ?? 2006
#@@#           Minor score updates based on additional mass-check
#@@#           Modified "rule has been moved" meta flags 
#@@#           Archived from file 4:     SARE_BOUNDARY_D2
#@@#           Archived from file 4:     SARE_FROM_NONE
#@@#           Archived from file 4:     SARE_MSGID_EMPTY
#@@#           Archived from file 4:     SARE_MSGID_RATWARE1
#@@#           Archived from file 4:     SARE_MULT_LCASE_X2
#@@#           Archived from file 4:     SARE_RECV_IP_063209158
#@@#           Archived from file 4:     SARE_RECV_IP_066154
#@@#           Archived from file 4:     SARE_RECV_IP_213253
#@@#           Archived from file 4:     SARE_XMAIL_RANDMAILER2

meta      __SARE_HEAD_FALSE        __FROM_AOL_COM && !__FROM_AOL_COM
meta      SARE_XMAIL_SUSP1         __SARE_HEAD_FALSE
meta      SARE_BOUNDARY_D2         __SARE_HEAD_FALSE
meta      SARE_FROM_NONE           __SARE_HEAD_FALSE
meta      SARE_MSGID_EMPTY         __SARE_HEAD_FALSE
meta      SARE_MSGID_RATWARE1      __SARE_HEAD_FALSE
meta      SARE_MULT_LCASE_X2       __SARE_HEAD_FALSE
meta      SARE_RECV_IP_063209158   __SARE_HEAD_FALSE
meta      SARE_RECV_IP_066154      __SARE_HEAD_FALSE
meta      SARE_RECV_IP_213253      __SARE_HEAD_FALSE
meta      SARE_XMAIL_RANDMAILER2   __SARE_HEAD_FALSE

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_ALL_LC        MESSAGEID =~ /<[a-z0-9]+>/  # no /i
describe  SARE_MSGID_ALL_LC        all-lower-case with numbers message-id 
score     SARE_MSGID_ALL_LC        0.111
#ham      SARE_MSGID_ALL_LC        confirmed
#hist     SARE_MSGID_ALL_LC        Created by Bob Menschel May 31 2004
#counts   SARE_MSGID_ALL_LC        1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MSGID_ALL_LC        13s/0h of 66970 corpus (41750s/25220h RM) 09/04/04
#counts   SARE_MSGID_ALL_LC        2s/4h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_ALL_LC        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_ALL_LC        1s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_MSGID_ALL_LC        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_MSGID_ALL_LC        5s/0h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_MSGID_ALL_LC        1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    __SARE_MSGID_LONG55        MESSAGEID =~ /[a-z0-9\$]{55}/
meta      SARE_MSGID_LONG55        __SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
describe  SARE_MSGID_LONG55        Message ID has suspicious length
score     SARE_MSGID_LONG55        0.167
#hist     SARE_MSGID_LONG55        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG55        0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MSGID_LONG55        5s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_MSGID_LONG55        1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_LONG55        3s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_MSGID_LONG55        0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MSGID_LONG55        4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_MSGID_LONG55        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG55        2s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

header    __SARE_MSGID_LONG65        MESSAGEID =~ /[a-z0-9\$]{65}/
meta      SARE_MSGID_LONG65        __SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
describe  SARE_MSGID_LONG65        Message ID has suspicious length
score     SARE_MSGID_LONG65        0.130
#hist     SARE_MSGID_LONG65        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG65        4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MSGID_LONG65        5s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_MSGID_LONG65        3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MSGID_LONG65        0s/5h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_MSGID_LONG65        3s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_LONG65        0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_LONG65        1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG65        7s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

header    SARE_MSGID_LONG75        MESSAGEID =~ /[a-z0-9\$]{75}/
describe  SARE_MSGID_LONG75        Message ID has suspicious length
score     SARE_MSGID_LONG75        0.093
#hist     SARE_MSGID_LONG75        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG75        4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MSGID_LONG75        6s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MSGID_LONG75        3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MSGID_LONG75        0s/5h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_MSGID_LONG75        3s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_LONG75        0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_LONG75        1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG75        3s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_RECV_SPAM_DOMN05    Received =~ /\b(?:sdi\.tpnet)\.pl/
describe  SARE_RECV_SPAM_DOMN05    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN05    0.413
#counts   SARE_RECV_SPAM_DOMN05    2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_SPAM_DOMN05    31s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_SPAM_DOMN05    8s/0h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_RECV_SPAM_DOMN05    0s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_RECV_SPAM_DOMN05    4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_SPAM_DOMN05    70s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_RECV_SPAM_DOMN05    16s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06
#counts   SARE_RECV_SPAM_DOMN05    15s/15h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN05    6s/0h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_RECV_SPAM_DOMN05    2s/0h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_RECV_SPAM_DOMN05    2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04

header    SARE_RECV_SPAM_DOMN81    Received =~ /\btiscali\b/
describe  SARE_RECV_SPAM_DOMN81    Spam passed through tiscali.com relay
score     SARE_RECV_SPAM_DOMN81    0.092
#hist     SARE_RECV_SPAM_DOMN81    Created by Bob Menschel June 7 2004
#hist     SARE_RECV_SPAM_DOMN81    Generalized to all tiscali servers Nov 16 2004
#counts   SARE_RECV_SPAM_DOMN81    376s/15h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_SPAM_DOMN81    1171s/105h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_SPAM_DOMN81    202s/113h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_RECV_SPAM_DOMN81    25s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_RECV_SPAM_DOMN81    39s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SPAM_DOMN81    349s/9h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_RECV_SPAM_DOMN81    48s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06
#counts   SARE_RECV_SPAM_DOMN81    72s/26h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN81    94s/565h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_RECV_SPAM_DOMN81    22s/0h of 22944 corpus (17229s/5715h MY) 05/14/06

header    SARE_RECV_SPAM_NAME0     Received =~ /\btopsitesmail/i 
describe  SARE_RECV_SPAM_NAME0     Email passed through probable spammer relay
score     SARE_RECV_SPAM_NAME0     0.389
#counts   SARE_RECV_SPAM_NAME0     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_SPAM_NAME0     11s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_RECV_SPAM_NAME0     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_SPAM_NAME0     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_SPAM_NAME0     1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_SPAM_NAME0     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SPAM_NAME0     7s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_RECV_SPAM_NAME0     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SUSP_3         Received =~ m'\bfrom\s+(\d{1,3}(?:\.\d{1,3}){3})\s+\(\[(?!\1)\d{1,3}(?:\.\d{1,3}){3}\]\)'
describe  SARE_RECV_SUSP_3         Dotquad hostname doesn't match HELO dotquad.
score     SARE_RECV_SUSP_3         1.111
#hist     SARE_RECV_SUSP_3         LW_FAKED_DOTQUAD         
#counts   SARE_RECV_SUSP_3         108s/30h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_SUSP_3         4129s/196h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SUSP_3         69s/11h of 9984 corpus (5650s/4334h AxB) 05/14/06
#counts   SARE_RECV_SUSP_3         2630s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SUSP_3         2963s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_SUSP_3         22s/5h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_RECV_SUSP_3         6s/4h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_RECV_SUSP_3         112s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SUSP_3         5s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_RECV_SUSP_3         11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SUSP_3         3456s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_RECV_SUSP_3         4739s/4h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    SARE_RECV_IP_211104      Received =~ /\[211\.1(?:0[4-9]|1\d)\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_211104      Spam passed through possible spammer relay
score     SARE_RECV_IP_211104      0.404
#counts   SARE_RECV_IP_211104      605s/154h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_IP_211104      7125s/265h of 120459 corpus (71363s/49096h RM) 02/12/05
#counts   SARE_RECV_IP_211104      124s/5h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_RECV_IP_211104      123s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_211104      8s/6h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_RECV_IP_211104      22s/0h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_RECV_IP_211104      97s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_211104      23s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_RECV_IP_211104      60s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_211104      222s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_RECV_IP_211104      81s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_SUSP2         X-Mailer =~ /^(?:[a-z]{4,20}[\-\.\,]? ){2,8}/    # no /i, trailing space
describe  SARE_XMAIL_SUSP2         X-Mailer suggests spam 
score     SARE_XMAIL_SUSP2         0.643
#hist     SARE_XMAIL_SUSP2         Loren Wilton, LW_BOGUS_MAILER
#counts   SARE_XMAIL_SUSP2         61s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_XMAIL_SUSP2         343s/119h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_XMAIL_SUSP2         20s/0h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_XMAIL_SUSP2         238s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_XMAIL_SUSP2         69s/19h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_XMAIL_SUSP2         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_XMAIL_SUSP2         59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_SUSP2         18s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_XMAIL_SUSP2         40s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_XMAIL_SUSP2         79s/8h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_XMAIL_SUSP2         34s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    SARE_FROM_LEAD_PREP      From =~ /^(?:A|About|All|An|And|Any|As|At(?:tn:?)|Be|Best|Bulk|Cash|Earn|Easy|Fast|Find|For|From|Get|Hi|Home|In|Instant|Is|It|Its|Limited|Lose|Love|Make|Need|New|No|Save|Sex|She|Special|Stock|Stop|Take|Test|There|This|To|Try|Want|We|What|Where|Why|You|Your)[_ ]/i
describe  SARE_FROM_LEAD_PREP      From begins with preposition or similar word
score     SARE_FROM_LEAD_PREP      0.943
#hist     SARE_FROM_LEAD_PREP      Originally submitted by Bob Menschel
#counts   SARE_FROM_LEAD_PREP      1093s/35h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_LEAD_PREP      1962s/211h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_LEAD_PREP      262s/1h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FROM_LEAD_PREP      45s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FROM_LEAD_PREP      94s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_LEAD_PREP      127s/2h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FROM_LEAD_PREP      0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_LEAD_PREP      10s/1h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FROM_LEAD_PREP      92s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_LEAD_PREP      2166s/11h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FROM_LEAD_PREP      66s/1h of 42266 corpus (34149s/8117h FVGT) 05/15/06

header    SARE_FROM_NOTLD          From:addr !~ /\./ [if-unset: foo@bar.com]
describe  SARE_FROM_NOTLD          No TLD identified in from address
score     SARE_FROM_NOTLD          0.958
#hist     SARE_FROM_NOTLD          Fred Tarasevicius, Aug 2005
#counts   SARE_FROM_NOTLD          403s/6h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_NOTLD          1260s/213h of 444524 corpus (205759s/238765h RM) 08/07/05
#counts   SARE_FROM_NOTLD          4s/8h of 9984 corpus (5650s/4334h AxB) 05/14/06
#counts   SARE_FROM_NOTLD          18s/1h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FROM_NOTLD          64s/0h of 10553 corpus (5781s/4772h CT) 08/06/05
#counts   SARE_FROM_NOTLD          234s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FROM_NOTLD          623s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06
#counts   SARE_FROM_NOTLD          21s/0h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FROM_NOTLD          1s/2h of 22944 corpus (17229s/5715h MY) 05/14/06

header    SARE_FROM_NUM_9DIG       From =~ /\b[a-z]+\d{9,}\@/i
describe  SARE_FROM_NUM_9DIG       Apparent spammer email address pattern
score     SARE_FROM_NUM_9DIG       0.110
#ham      SARE_FROM_NUM_9DIG       verified (5) 
#hist     SARE_FROM_NUM_9DIG       Created by Bob Menschel May 24 2004
#addsto   SARE_FROM_NUM_9DIG       SARE_FROM_NUM_8DIG, SARE_FROM_NUM_HOTML
#counts   SARE_FROM_NUM_9DIG       95s/167h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_NUM_9DIG       1208s/233h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_NUM_9DIG       16s/1h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FROM_NUM_9DIG       59s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_NUM_9DIG       63s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_NUM_9DIG       8s/0h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FROM_NUM_9DIG       0s/0h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_FROM_NUM_9DIG       9s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_NUM_9DIG       1s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FROM_NUM_9DIG       3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_NUM_9DIG       128s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FROM_NUM_9DIG       28s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

header    SARE_FROM_SPACE2         From =~ /(?!"  " <)"[\w., -]+ " </
describe  SARE_FROM_SPACE2         Odd name format
score     SARE_FROM_SPACE2         0.498
#hist     SARE_FROM_SPACE2         LW_FROM_SPACE, Loren Wilton
#counts   SARE_FROM_SPACE2         584s/119h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_SPACE2         728s/131h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_FROM_SPACE2         296s/3h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FROM_SPACE2         236s/7h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FROM_SPACE2         271s/6h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FROM_SPACE2         146s/5h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_FROM_SPACE2         394s/3h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FROM_SPACE2         63s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FROM_SPACE2         168s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPACE2         402s/107h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FROM_SPACE2         403s/21h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_EsYahoo   From =~ /\@yahoo\.es/i
describe  SARE_FREE_WEBM_EsYahoo   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_EsYahoo   0.100
#counts   SARE_FREE_WEBM_EsYahoo   27s/11h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FREE_WEBM_EsYahoo   105s/46h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_EsYahoo   11s/0h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FREE_WEBM_EsYahoo   6s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_EsYahoo   9s/21h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FREE_WEBM_EsYahoo   0s/0h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_FREE_WEBM_EsYahoo   17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_EsYahoo   0s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FREE_WEBM_EsYahoo   4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_EsYahoo   10s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FREE_WEBM_EsYahoo   0s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06
#max      SARE_FREE_WEBM_EsYahoo   1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_FrYahoo   From =~ /\byahoo\.fr/i
describe  SARE_FREE_WEBM_FrYahoo   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_FrYahoo   0.130
#counts   SARE_FREE_WEBM_FrYahoo   48s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FREE_WEBM_FrYahoo   174s/2h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_FREE_WEBM_FrYahoo   6s/4h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FREE_WEBM_FrYahoo   2s/10h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_FrYahoo   15s/12h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FREE_WEBM_FrYahoo   6s/1h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_FREE_WEBM_FrYahoo   8s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_FrYahoo   4s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#counts   SARE_FREE_WEBM_FrYahoo   13s/11h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FREE_WEBM_FrYahoo   2s/0h of 42266 corpus (34149s/8117h FVGT) 05/15/06

header    SARE_FREE_WEBM_MYWAY     From =~ /\bMyway\.com/i 
describe  SARE_FREE_WEBM_MYWAY     Maybe spammer with free email
score     SARE_FREE_WEBM_MYWAY     0.301
#hist     SARE_FREE_WEBM_MYWAY     Created by Bob Menschel Jun 01 2004
#counts   SARE_FREE_WEBM_MYWAY     1s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FREE_WEBM_MYWAY     134s/57h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_MYWAY     7s/0h of 56014 corpus (51685s/4329h AxB2) 05/14/06
#counts   SARE_FREE_WEBM_MYWAY     12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_MYWAY     21s/9h of 106181 corpus (72811s/33370h ML) 05/15/06
#counts   SARE_FREE_WEBM_MYWAY     5s/0h of 22944 corpus (17229s/5715h MY) 05/14/06
#max      SARE_FREE_WEBM_MYWAY     12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_MYWAY     5s/0h of 13296 corpus (7424s/5872h CT) 05/14/06
#max      SARE_FREE_WEBM_MYWAY     7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_MYWAY     16s/0h of 155066 corpus (103522s/51544h DOC) 05/15/06
#counts   SARE_FREE_WEBM_MYWAY     36s/1h of 42266 corpus (34149s/8117h FVGT) 05/15/06

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

# EOF