local.sco

flex是linux下一个很有用的高效的编译器工具

body BE_BOSS		        /\byour own boss\b/i
describe BE_BOSS		Be your own boss

body ML_MARKETING	        /\b(?:MLM|multi.level.marketing)\b/i
describe ML_MARKETING		Multi Level Marketing mentioned

body CONFIDENTIAL_ORDER		/confidential.{0,9} order/i
describe CONFIDENTIAL_ORDER	Confidentiality on all orders

body SAVE_THOUSANDS             /\bsave (?:thousands|millions)\b/i
describe SAVE_THOUSANDS         Save big money

body MARKETING_PARTNERS		/\b(?:marketing|network) partner|\bpartner (?:web)?site/i
describe MARKETING_PARTNERS	Claims you registered with a partner

body FREE_PREVIEW		/\bfree preview\b/i
describe FREE_PREVIEW		Free Preview

body FREE_ACCESS                /(?-i:F)ree access/i
describe FREE_ACCESS            Contains 'free access' with capitals

body FREE_SAMPLE                /(?-i:F)ree sample/i
describe FREE_SAMPLE            Contains 'free sample' with capitals

body LOW_PRICE                  /\blow.{0,4} (?-i:P)rice/i
describe LOW_PRICE              Lowest Price

body UNCLAIMED_MONEY            /\bunclaimed (?:funds|money|prizes?|rewards?)\b/i
describe UNCLAIMED_MONEY        People just leave money laying around

body OBSCURED_EMAIL		/\w+\^\S+\(\w{2,4}\b/
describe OBSCURED_EMAIL		Message seems to contain rot13ed address

body BANG_EXERCISE    		/\bexercis(?:e|er|es)!/i
describe BANG_EXERCISE    	Talks about exercise with an exclamation!

body BANG_MORE       		/\b(?-i:M)ore!/i
describe BANG_MORE       	Talks about more with an exclamation!

body BANG_OPRAH      		/\boprah!/i
describe BANG_OPRAH      	Talks about Oprah with an exclamation!

body ACT_NOW_CAPS               /A(?i:ct) N(?i:ow)/
describe ACT_NOW_CAPS		Talks about 'acting now' with capitals

body MORE_SEX               /increased?.{0,9}(?:sex|stamina)/i
describe MORE_SEX 		Talks about a bigger drive for sex

body BANG_GUAR	         	/\bguaranteed?\!/i
describe BANG_GUAR		Something is emphatically guaranteed

body SEE_FOR_YOURSELF		/See (?:for|it|it for) yourself\b/i
describe SEE_FOR_YOURSELF       See for yourself 

body INVESTMENT_ADVICE		/\binvestment advice/i
describe INVESTMENT_ADVICE	Message mentions investment advice

body INVESTMENT_EXPERT		/\binvestment expert/i
describe INVESTMENT_EXPERT	Message mentions investment expert

body QUALIFY_FOR_THIS		/qualify for \w{1,5} (?:special|new|promotion)/i
describe QUALIFY_FOR_THIS	Qualify for this special...

body MALE_ENHANCE	/male enhancement/i
describe MALE_ENHANCE	Message talks about enhancing men

body PRICES_ARE_AFFORDABLE	/\baffordable .{0,10}prices\b/i
describe PRICES_ARE_AFFORDABLE	Message says that prices aren't too expensive

body REPLICA_WATCH /\breplica.{1,20}rolex/i
describe REPLICA_WATCH	Message talks about a replica watch

body EM_ROLEX /[^\s\w.]rolex/i
describe EM_ROLEX	Message puts emphasis on the watch manufacturer

#********************************************************************************
# 10. porn tests --> 20_porn.cf
#********************************************************************************

body FREE_PORN                  /\bfree (?:porn|xxx|adult)/i
describe FREE_PORN              Possible porn - Free Porn

body CUM_SHOT                   /\bcum[ -]?shots?\b/i
describe CUM_SHOT               Possible porn - Cum Shot

# "live cam" is a very common nonspam phrase, removed
body LIVE_PORN                  /\blive .{0,9}(?:fuck(?:ing)?|sex|naked|girls?|virgins?|teens?|porno?)\b/i
describe LIVE_PORN              Possible porn - Live Porn

body HARDCORE_PORN              /\bh[a\@]rd[ -]?core .{0,9}(?:teen|virgin|cheerleader|amat(?:eu|ue)r)|\bextreme h[a\@]rdcore/i
describe HARDCORE_PORN          Possible porn - Hardcore Porn

body HOT_NASTY			/\b(?=[dehklnswxy])(?:horny|nasty|hot|wild|young|horniest|nastiest|hottest|wildest|youngest|naughty|dirtiest|slutty|kinky|lusty|extreme|xxx+)\b.{0,9}\b(?=[acfghilmpsvx])(?:virgins?\b|asian|cheerleader|sex|selection|fuck|fucking|anal\b|lesb(?:ian|o)|incest|chicks?|pics|movies|video|gay\b|porn|h[a\@]rdcore|schoolgirls|amateur|slut|adult|cum\b|xxx|sites?|hotties|shit)/i
describe HOT_NASTY		Possible porn - Hot, Nasty, Wild, Young

body BEST_PORN			/\b(?:best|biggest|largest|most|free|ultimate)\b.{0,9}\b(?:virgins?\b|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)/i
describe BEST_PORN		Possible porn - Best, Largest, Most Porn

body NASTY_GIRLS                /\b(?:horniest|nasty|nastiest|hottest|wildest|slutty|xxx+)\b.{0,9}\b(?:girl|women|teen|babe)/i
describe NASTY_GIRLS            Possible porn - Nasty Girls

body AMATEUR_PORN               /\bamateur .{0,9}(?:sex|porn|star|sites?|college|babes|action|pics|trash|gang|rape)|\b(?:real|best) amateur/i
describe AMATEUR_PORN           Possible porn - Amateur Porn

body SOMETHING_FOR_ADULTS       /\badult.{0,9}(?:entertainment|sites?|industry|only|business|membership)/i
describe SOMETHING_FOR_ADULTS   Possible porn - Adult Web Sites

body PORN_15			/(?=[celstwvy])(?:college|eating|licking|spears|tight|wet|shaved|voyeur|young|teen(?:age)?).{0,16}pussy/i
describe PORN_15		Possible porn - various types of feline

body PORN_16			/\b(?:nasty|teen|dir(?:ty|iest)?|little).{0,16}\bsluts?/i 
describe PORN_16 		Possible porn - nasty, dirty, little etc.

body LOTS_OF_STUFF		/\b(?:\d{1,3}[,\.]?)+\d{3}.{0,20}\b(?:pics|pictures|images|photos|movies)/i
describe LOTS_OF_STUFF		Thousands or millions of pictures, movies, etc.

body DISGUISE_PORN              /\b(?:c[*0]cks?|d[1*]cks?|h[0*]rny|b[1*]tch(?:es)|f[*0]ckk?ed|p[*]ssy|p[*]ssies)\b/i
describe DISGUISE_PORN          Attempts to disguise porn words

body DISGUISE_PORN_MUNDANE	/\b(?:h[0*]t|y[0*][uv]ng|b[0*]ys?|g[1*]r[1l]s?|g[1l]rls?|w[1*]ves|w[1*]fe|s3xy?|p[0*]rn[o0*]?)\b/i
describe DISGUISE_PORN_MUNDANE	Attempts to disguise mundane words used in porn

# lookbehinds here; saved a lot of work for us (bug 1035), also see bug 1835
uri PORN_URL_SEX                /^https?:\/\/[\w\.-]*(?<!es|ba)(?<!dle|sus)sex(?!press)[\w-]*\./i
describe PORN_URL_SEX           URL uses words/phrases which indicate porn (sex)

uri PORN_URL_SLUT               /^https?:\/\/[\w\.-]*slut[\w-]*\./i
describe PORN_URL_SLUT          URL uses words/phrases which indicate porn (slut)

uri PORN_URL_MISC               /^https?:\/\/[\w\.-]*(?:porn|hard-?core|taboo|lesbian|naughty)[\w-]*\./i
describe PORN_URL_MISC          URL uses words/phrases which indicate porn (misc)

header SUBJECT_SEXUAL		Subject =~ /[s5][e3\xE8-\xEB]x[u\xB5\xF9-\xFC][a4\xE0-\xE6@][l!|1](?:[l!|1]y)?.{0,3}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]c[i1!|l\xEC-\xEF]t/i
describe SUBJECT_SEXUAL		Subject indicates sexually-explicit content

#********************************************************************************
# 11. known spam mailers --> 20_ratware.cf
#********************************************************************************

header RATWARE_EGROUPS		X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS	Bulk email fingerprint (eGroups) found

header RATWARE_HASH_2           X-Mailer =~ /^[A-Za-z0-9_]{16,}$/
describe RATWARE_HASH_2		Bulk email fingerprint (hash 2) found

header RATWARE_HASH_2_V2        X-Mailer =~ /^[A-Za-z0-9_]{14,}$/
describe RATWARE_HASH_2_V2	Bulk email fingerprint (hash 2 v2) found

header RATWARE_JPFREE		X-Mailer =~ /jpfree Group Mail Express/
describe RATWARE_JPFREE		Bulk email fingerprint (jpfree) found

# Note that the tests which look at the "ALL" pseudoheader are slower than the specific header.
# 100% overlap with X-Stormpost-To: header, but seems wise to leave it in
uri RATWARE_STORM_URI		m{^http://\S{1,100}/sp/t\.pl\?id=\d+:\d+}i
describe RATWARE_STORM_URI	Bulk email fingerprint (StormPost) found

header RATWARE_OE_MALFORMED	X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED	X-Mailer has malformed Outlook Express version

header RATWARE_RCVD_LC_ESMTP	Received =~ /^from (?:(?:unknown|\d+\.\d+\.\d+\.\d+) \(\S+\)|\[\d+\.\d+\.\d+\.\d+\]) by \S+ with (?:esmtp|local|smtp); /m
describe RATWARE_RCVD_LC_ESMTP	Bulk email fingerprint ('esmtp' Received) found

header RATWARE_MOZ_MALFORMED	User-Agent =~ /Mozilla\/5\.0\d\d/
describe RATWARE_MOZ_MALFORMED	Bulk email fingerprint (Mozilla malformed) found

header RATWARE_MPOP_WEBMAIL	X-Mailer =~ /mPOP Web-Mail/i
describe RATWARE_MPOP_WEBMAIL	Bulk email fingerprint (mPOP Web-Mail)

rawbody RATWARE_HASH_DASH	/[a-z\d]-[a-z\d]{16}-[a-z\d]{1,16}(?-i:l)\d/i
describe RATWARE_HASH_DASH	Contains a hashbuster in Send-Safe format

# spammer tool, sometimes has "netIP with HTTP;" in Received: header
header RATWARE_NETIP		Content-Type =~ /boundary="--ALT--[A-Z]{4}\d/
describe RATWARE_NETIP		Bulk email fingerprint (netIP) found

# this is really badly faked.  Also the spammer who uses "25250101"
# for the build is a total hippie.
header RATWARE_GECKO_BUILD	User-Agent =~ /Gecko\/(?!200\d\d\d\d\d)\d/
describe RATWARE_GECKO_BUILD	Bulk email fingerprint (Gecko faked) found

header HDR_ORDER_MTSRIX		ALL =~ /\nMessage-ID: <\S+@\S+>\nTo: [^\n]+ <\S+>\nSubject: [^\n]+\nReferences: <\S+@\S+>\nIn-Reply-To: <\S+@\S+>\nX-Mailer: /
describe HDR_ORDER_MTSRIX	Headers are in order found in spam (MTSRIX)

header HDR_ORDER_TRIMRS		ALL =~ /\nTo: [^\n]+\nReferences: <\S+@\S+>\nIn-Reply-To: <\S+@\S+>\nMessage-ID: <\S+@\S+>\nReply-To: [^\n]+\nSender: /
describe HDR_ORDER_TRIMRS	Headers are in order found in spam (TRIMRS)

header RCVD_BONUS_SPC_DATE	Received =~ /with SMTP;  \d\d \S\S\S /
describe RCVD_BONUS_SPC_DATE	Bulk email fingerprint (bonus space) found

header X_MESSAGE_INFO		exists:X-Message-Info
describe X_MESSAGE_INFO		Bulk email fingerprint (X-Message-Info) found

# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
header HEADER_SPAM		ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM		Bulk email fingerprint (header-based) found

header RATWARE_RCVD_PF		Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
describe RATWARE_RCVD_PF	Bulk email fingerprint (Received PF) found

header RATWARE_RCVD_AT		Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/
describe RATWARE_RCVD_AT	Bulk email fingerprint (Received @) found

header MSGID_RATWARE1		Message-Id =~ /<[A-Z]+\$[^\$]+\$.+@/
describe MSGID_RATWARE1		Bulk email fingerprint found

header RATWARE_BOUND_PIECE	Content-Type =~ /boundary=\"?--Piece/
describe RATWARE_BOUND_PIECE	Bulk email fingerprint (piece boundary) found

header RATWARE_EFROM		eval:check_ratware_envelope_from()
describe RATWARE_EFROM		Bulk email fingerprint (envfrom) found

#********************************************************************************
# 12. URI tests --> 20_uri_tests.cf
#********************************************************************************

uri NUMERIC_HTTP_ADDR		/^https?\:\/\/\d{7}/is
describe NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL

uri NORMAL_HTTP_TO_IP		m{^https?://\d+\.\d+\.\d+\.\d+}i
describe NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL

uri HTTP_ESCAPED_HOST		/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST	Uses %-escapes inside a URL's hostname

# note: do not match \r or \n
uri HTTP_CTRL_CHARS_HOST	/^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]/
describe HTTP_CTRL_CHARS_HOST	Uses control sequences inside a URL hostname

# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe
# characters have been well-tested, but are sometimes unnecessarily escaped
# in nonspam; requiring "http" or "https" also reduces false positives).
uri HTTP_EXCESSIVE_ESCAPES	/^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i
describe HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL

uri IP_LINK_PLUS	m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}i
describe IP_LINK_PLUS	Dotted-decimal IP address followed by CGI

uri REMOVE_PAGE			/^https?:\/\/[^\/]+\/.*?remove/
describe REMOVE_PAGE		URL of page called "remove"

uri MAILTO_TO_SPAM_ADDR		/^mailto:[a-z]+\d{2,}\@/is
describe MAILTO_TO_SPAM_ADDR	Includes a link to a likely spammer email

uri MAILTO_TO_REMOVE		/^mailto:.*?remove/is
describe MAILTO_TO_REMOVE	Includes a 'remove' email address

# allow ports 80 and 443 which are http and https, respectively
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
# though, which actually doesn't have a weird port in it.
uri WEIRD_PORT			m{https?://[^/\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)}
describe WEIRD_PORT		Uses non-standard port number for HTTP

# looks for a (maybe empty) username and (optional) password in an url
uri USERPASS                    m{^https?://[^/\s]*?(?::[^/\s]+?)?\@}
describe USERPASS               URL contains username and (optional) password

uri URI_IS_POUND		m{\#$}
describe URI_IS_POUND		Filename is just a '\#'; probably a JS trick

uri BARGAIN_URL			/bargain([sz]|-\S+)?\.(?:com|biz)/
describe BARGAIN_URL		Includes a link to a likely spammer domain

# these are somewhat loose, but results are good
uri BIZ_TLD  			/\.biz(?::\d+)?(?:\/|$)/i
describe BIZ_TLD		Contains an URL in the BIZ top-level domain    

uri INFO_TLD  			/\.info(?::\d+)?(?:\/|$)/i
describe INFO_TLD		Contains an URL in the INFO top-level domain    

uri YAHOO_RD_REDIR		m{^https?\://rd\.yahoo\.com/(?:[0-9]{4}|partner\b|dir\b)}i
describe YAHOO_RD_REDIR		Has Yahoo Redirect URI

uri YAHOO_DRS_REDIR		m{^https?://drs\.yahoo\.com/}i
describe YAHOO_DRS_REDIR	Has Yahoo Redirect URI

uri URI_OFFERS			m/offer([sz]|-\S+)?\.(?:com|bi?z)/i
describe URI_OFFERS		Message has link to company offers

uri URI_4YOU			m@^(?:https?://|mailto:)[^\/]*4you@i
describe URI_4YOU		Messag