Hello,
Would someone give these rules a run and see how much trouble they cause?
There might be some obvious overlap with existing, better, rulesets. If you
feel like pointing them out it would be great. One last thing, on the
CTS_CONFIDENTIAL rule I'm sure there is a way to further consolidate the
confidential|confidentially|confidentiality, but I'm not exactly sure how. If
you feel like giving a tip there that will help too.
Thanks, Al
body CTS_ANONYMOUS /\bcompletely anonymous\b/i
describe CTS_ANONYMOUS We will share it with our closest spammers
score CTS_ANONYMOUS 0.01
body CTS_AOL1 /\bX-AOL-SCOLL-SCORE\b/i
describe CTS_AOL1 Weird junk
score CTS_AOL1 1.0
body CTS_APOLOGY /\baccept my apologies\b/i
describe CTS_APOLOGY Apology
score CTS_APOLOGY 0.01
body CTS_CIALIS1 /\bcia.is\b/i
describe CTS_CIALIS1 Cialis Obfuscation
score CTS_CIALIS1 1.0
body CTS_CONFIDENTIAL /\bconfidential|confidentially|confidentiality]\b/i
describe CTS_CONFIDENTIAL Confidential
score CTS_CONFIDENTIAL 0.01
body CTS_ERECTION1 /\bamazing erection\b/i
describe CTS_ERECTION1 They are all amazing
score CTS_ERECTION1 1.0
body CTS_ERECTION2 /\berectile problem\b/i
describe CTS_ERECTION2 Not your only problem
score CTS_ERECTION2 1.0
meta CTS_DRUG_ERECTION1 (CTS_ERECTION1 && LOCAL_DRUGS_MALEDYSFUNCTION)
describe CTS_DRUG_ERECTION1 Drugs and erections
score CTS_DRUG_ERECTION1 1.0
meta CTS_DRUG_ERECTION2 (CTS_ERECTION2 && LOCAL_DRUGS_MALEDYSFUNCTION)
describe CTS_DRUG_ERECTION2 Drugs and erections
score CTS_DRUG_ERECTION2 1.0
rawbody CTS_HREF /<a .{0,32}href[^=]/i
describe CTS_HREF Href Obfuscation
score CTS_HREF 1.0
uri CTS_INDUSTRY /industry2004\.com/i
describe CTS_INDUSTRY Low scoring site
score CTS_INDUSTRY 1.0
body CTS_MONEY_SCAM_1 /\bshare the money\b/i
describe CTS_MONEY_SCAM_1 Money scam
score CTS_MONEY_SCAM_1 1.0
body CTS_MONEY_SCAM_2 /\bpaid into your bank account\b/i
describe CTS_MONEY_SCAM_2 Money scam
score CTS_MONEY_SCAM_2 1.0
meta CTS_MONEY_SCAM_3 (CTS_MONEY_SCAM_1 && CTS_MONEY_SCAM_2)
score CTS_MONEY_SCAM_3 1.0
meta CTS_MTA_SUBJ (SUBJ_ILLEGAL_CHARS && MSGID_FROM_MTA_BACKUP)
describe CTS_MTA_SUBJ Illegal chars from MTA backup
score CTS_MTA_SUBJ 4.0
body CTS_PERFORMANCE1 /\bperformance in bed\b/i
describe CTS_PERFORMANCE1 Test performance in bed
score CTS_PERFORMANCE1 1.0
body CTS_PERFORMANCE2 /\bperforming in bed\b/i
describe CTS_PERFORMANCE2 Test performing in bed
score CTS_PERFORMANCE2 1.0
header CTS_POLARWAX From =~ /\.polarwax\.com/i
describe CTS_POLARWAX Low score spam site
score CTS_POLARWAX = 1.0
uri CTS_PORN1 /portismount\.com/i
describe CTS_PORN1 Low scoring porn site
score CTS_PORN1 1.0
meta CTS_PRIORITY_CLICK (PRIORITY_NO-NAME && CLICK_BELOW && EXCUSE_16)
describe CTS_PRIORITY_CLICK Priority with Click and Excuse
score CTS_PRIORITY_CLICK 1.0
body CTS_PROPOSITION /\bproposition\b/i
describe CTS_PROPOSITION Proposition
score CTS_PROPOSITION 0.01
meta CTS_CONF_PROP1 (CTS_APOLOGY && CTS_PROPOSITION)
describe CTS_CONF_PROP1 Sorry proposition
score CTS_CONF_PROP1 1.0
meta CTS_CONF_PROP2 (CTS_CONFIDENTIAL && CTS_PROPOSITION)
describe CTS_CONF_PROP2 Confidential proposition
score CTS_CONF_PROP2 1.0
body CTS_RMOVE /\brmove\b/i
describe CTS_RMOVE Remove Obfuscation
score CTS_RMOVE 1.0
body CTS_REMUV /\bremuv\b/i
describe CTS_REMUV Remove Obfuscation
score CTS_REMUV 1.0
body CTS_SCIENTIFIC1 /\bscientifically proven method\b/i
describe CTS_SCIENTIFIC1 Test scientifically proven method
score CTS_SCIENTIFIC1 0.01
body CTS_SCIENTIFIC2 /\bscientific formulation\b/i
describe CTS_SCIENTIFIC2 Test scientific formulation
score CTS_SCIENTIFIC2 0.01
body CTS_SCIENTIFIC3 /\bscientifically formulated\b/i
describe CTS_SCIENTIFIC3 Test scientifically formulated
score CTS_SCIENTIFIC3 0.01
body CTS_VALIUM1 /\bv.l..m\b/i
describe CTS_VALIUM1 Valium Obfuscation2
score CTS_VALIUM1 0.01
body CTS_VIAGRA1 /\bv.agra\b/i
describe CTS_VIAGRA1 Viagra Obfuscation
score CTS_VIAGRA1 0.01
body CTS_VIAGRA2 /\bv..gr.\b/i
describe CTS_VIAGRA2 Viagra Obfuscation2
score CTS_VIAGRA2 0.01
meta CTS_VIA_CIA1 (CTS_CIALIS1 && CTS_VIAGRA1)
describe CTS_VIA_CIA1 Viagra Cialis obfuscation
score CTS_VIA_CIA1 0.01
body CTS_VICODIN1 /\bv.c.d.n\b/i
describe CTS_VICODIN1 Vicodin Obfuscation2
score CTS_VICODIN1 0.01
meta CTS_VIC_VAL1 (CTS_VICODIN1 && CTS_VALIUM1)
describe CTS_VIC_VAL1 Vicodin Valium obfuscation
score CTS_VIC_VAL1 0.01
body CTS_VIRUSWARN1 /\bI received a virus\b/i
describe CTS_VIRUSWARN1 Sure they did
score CTS_VIRUSWARN1 1.0
body CTS_VIRUSWARN2 /\bteddy bear icon\b/i
describe CTS_VIRUSWARN2 Yes its cute
score CTS_VIRUSWARN2 1.0
body CTS_VIRUSWARN3 /\bugly black icon\b/i
describe CTS_VIRUSWARN3 OK its ugly
score CTS_VIRUSWARN3 1.0
meta CTS_VIRUSWARN4 (CTS_VIRUSWARN1 && CTS_VIRUSWARN2)
describe CTS_VIRUSWARN4 Virus hoax
score CTS_VIRUSWARN4 1.0
meta CTS_VIRUSWARN5 (CTS_VIRUSWARN1 && CTS_VIRUSWARN3)
describe CTS_VIRUSWARN5 Virus hoax
score CTS_VIRUSWARN5 1.0
body CTS_XANAX1 /\bx.n.x\b/i
describe CTS_XANAX1 Xanax Obfuscation2
score CTS_XANAX1 0.01
meta CTS_VIC_XAN1 (CTS_VICODIN1 && CTS_XANAX1)
describe CTS_VIC_XAN1 Vicodin Xanax obfuscation
score CTS_VIC_XAN1 0.01
