# SpamAssassin rules file: URI tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Copyright 2004 Apache Software Foundation
# 
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

require_version @@VERSION@@

uri NUMERIC_HTTP_ADDR		/^https?\:\/\/\d{7,}/is
describe NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL

uri NORMAL_HTTP_TO_IP		/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+/i
describe NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL
 	
# Theo sez:
# Have gotten FPs off this, and whitespace can't be in the host, so...
# %    Visit my homepage: http://i.like.foo.com %
uri HTTP_ESCAPED_HOST		/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST	Uses %-escapes inside a URL's hostname

# note: do not match \r or \n
uri HTTP_CTRL_CHARS_HOST	/^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]/
describe HTTP_CTRL_CHARS_HOST	Uses control sequences inside a URL hostname

# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe
# characters have been well-tested, but are sometimes unnecessarily escaped
# in nonspam; requiring "http" or "https" also reduces false positives).
uri HTTP_EXCESSIVE_ESCAPES	/^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i
describe HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL

# bug 1801
uri IP_LINK_PLUS	/^https?\:\/\/(?:\S*\@)?\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id\=)/i
describe IP_LINK_PLUS	Dotted-decimal IP address followed by CGI

uri REMOVE_PAGE			/^https?:\/\/[^\/]+\/.*?remove/
describe REMOVE_PAGE		URL of page called "remove"
 	
uri MAILTO_TO_SPAM_ADDR		/^mailto:[a-z]+\d{2,}\@/is
describe MAILTO_TO_SPAM_ADDR	Includes a link to a likely spammer email
 	
uri MAILTO_TO_REMOVE		/^mailto:.*?remove/is
describe MAILTO_TO_REMOVE	Includes a 'remove' email address

# allow ports 80 and 443 which are http and https, respectively
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
# though, which actually doesn't have a weird port in it.
uri WEIRD_PORT			m{https?://[^/\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)}
describe WEIRD_PORT		Uses non-standard port number for HTTP

# looks for a (maybe empty) username and (optional) password in an url
uri USERPASS			m{https?://[^/\s]*?(?::[^/\s]+?)?\@}
describe USERPASS               URL contains username and (optional) password

uri URI_IS_POUND		m{\#$}
describe URI_IS_POUND		Filename is just a '\#'; probably a JS trick

uri BARGAIN_URL			/bargain([sz]|-\S+)?\.(?:com|biz)/
describe BARGAIN_URL		Includes a link to a likely spammer domain

# this is somewhat loose, but results are good
uri BIZ_TLD  			/\.biz(?:\/|$)/i
describe BIZ_TLD		Contains an URL in the BIZ top-level domain    

uri INFO_TLD			/^(?:https?:\/\/|mailto:)[^\/]+\.info(?:\/|$)/i
describe INFO_TLD		Contains an URL in the INFO top-level domain    

# Matt Cline
# Pretty good for most folks, except for jm: I have a really stupid
# e-commerce bunch obfuscating their URLs with this for some reason. screw 'em
# jm: hesitant to remove this outright; it should be good against phishers
#uri      HTTP_ENTITIES_HOST	m{https?://[^\s\">/]*\&\#[\da-f]+}i
#describe HTTP_ENTITIES_HOST	URI obscured with character entities

uri YAHOO_RD_REDIR		m{^https?\://rd\.yahoo\.com/(?:[0-9]{4,}|partner\b|dir\b)}i
describe YAHOO_RD_REDIR		Has Yahoo Redirect URI

uri YAHOO_DRS_REDIR		m{^https?://drs\.yahoo\.com/}i
describe YAHOO_DRS_REDIR	Has Yahoo Redirect URI

uri URI_OFFERS			m/offer([sz]|-\S+)?\.(?:com|bi?z)/i
describe URI_OFFERS		Message has link to company offers

uri URI_4YOU			m@^(?:https?://|mailto:)[^\/]*4you@i
describe URI_4YOU		Message has URI 4you

# 0 nonspam hits, hundreds of spam hits.  Serious problems there
uri TERRA_ES			/terra\.es\//i
describe TERRA_ES		Contains URI to a document hosted at 'terra.es'

# "www" hidden as "%77%77%77", "ww%77", etc.
# note: *not* anchored to start of string, to catch use of redirectors
uri HTTP_77			/http:\/\/.{0,2}\%77/
describe HTTP_77		Contains an URL-encoded hostname (HTTP77)

# affiliateid, aff_id, aff_sub_id etc.
uri URI_AFFILIATE		/aff\w+id=/i
describe URI_AFFILIATE		Contains a URI with an affiliate ID code

# really a URI rule
header URI_REDIRECTOR		eval:check_for_http_redirector()
describe URI_REDIRECTOR		Message has HTTP redirector URI