1
# SpamAssassin rules file: URI tests
3
# Please don't modify this file as your changes will be overwritten with
4
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
5
# See 'perldoc Mail::SpamAssassin::Conf' for details.
8
# Licensed to the Apache Software Foundation (ASF) under one or more
9
# contributor license agreements. See the NOTICE file distributed with
10
# this work for additional information regarding copyright ownership.
11
# The ASF licenses this file to you under the Apache License, Version 2.0
12
# (the "License"); you may not use this file except in compliance with
13
# the License. You may obtain a copy of the License at:
15
# http://www.apache.org/licenses/LICENSE-2.0
17
# Unless required by applicable law or agreed to in writing, software
18
# distributed under the License is distributed on an "AS IS" BASIS,
19
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
# See the License for the specific language governing permissions and
21
# limitations under the License.
24
###########################################################################
26
require_version @@VERSION@@
28
# possible IDN spoofing attack: http://www.shmoo.com/idn/homograph.txt
29
# not expecting any hits on this (yet)
30
uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
31
tflags HIGH_CODEPAGE_URI userconf
33
###########################################################################
35
# Redirector URI patterns
36
redirector_pattern /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
37
redirector_pattern /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i
38
redirector_pattern /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i
39
redirector_pattern /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i
40
redirector_pattern /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i
41
redirector_pattern m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i
42
redirector_pattern m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i
44
uri NUMERIC_HTTP_ADDR /^https?\:\/\/\d{7}/is
45
describe NUMERIC_HTTP_ADDR Uses a numeric IP address in URL
48
# Have gotten FPs off this, and whitespace can't be in the host, so...
49
# % Visit my homepage: http://i.like.foo.com %
50
uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s\?\']*%[0-9a-fA-F][0-9a-fA-F]/
51
describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
53
# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe
54
# characters have been well-tested, but are sometimes unnecessarily escaped
55
# in nonspam; requiring "http" or "https" also reduces false positives).
56
uri HTTP_EXCESSIVE_ESCAPES /^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i
57
describe HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes inside a URL
60
uri IP_LINK_PLUS m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}i
61
describe IP_LINK_PLUS Dotted-decimal IP address followed by CGI
63
# allow ports 80 and 443 which are http and https, respectively
64
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
65
# though, which actually doesn't have a weird port in it.
66
uri WEIRD_PORT m{https?://[^/\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)}
67
describe WEIRD_PORT Uses non-standard port number for HTTP
70
# Pretty good for most folks, except for jm: I have a really stupid
71
# e-commerce bunch obfuscating their URLs with this for some reason. screw 'em
72
# jm: hesitant to remove this outright; it should be good against phishers
73
#uri HTTP_ENTITIES_HOST m{https?://[^\s\">/]*\&\#[\da-f]+}i
74
#describe HTTP_ENTITIES_HOST URI obscured with character entities
76
uri YAHOO_RD_REDIR m{^https?\://rd\.yahoo\.com/(?:[0-9]{4}|partner\b|dir\b)}i
77
describe YAHOO_RD_REDIR Has Yahoo Redirect URI
79
uri YAHOO_DRS_REDIR m{^https?://drs\.yahoo\.com/}i
80
describe YAHOO_DRS_REDIR Has Yahoo Redirect URI
82
# "www" hidden as "%77%77%77", "ww%77", etc.
83
# note: *not* anchored to start of string, to catch use of redirectors
84
uri HTTP_77 /http:\/\/.{0,2}\%77/
85
describe HTTP_77 Contains an URL-encoded hostname (HTTP77)
88
uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2}}i
89
describe SPOOF_COM2OTH URI contains ".com" in middle
92
uri SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
93
describe SPOOF_COM2COM URI contains ".com" in middle and end
96
uri SPOOF_NET2COM m{^https?://(?:\w+\.)+?(?:net|org)\.(?:\w+\.)+?com}i
97
describe SPOOF_NET2COM URI contains ".net" or ".org", then ".com"
99
uri URI_HEX m%^https?://[^/?]*\b[0-9a-f]{6,}\b%i
100
describe URI_HEX URI hostname has long hexadecimal sequence
102
uri URI_NOVOWEL m%^https?://[^/?]*[bcdfghjklmnpqrstvwxz]{7}%i
103
describe URI_NOVOWEL URI hostname has long non-vowel sequence
105
uri URI_UNSUBSCRIBE /\b(?:gone|opened|out)\.php/i
106
describe URI_UNSUBSCRIBE URI contains suspicious unsubscribe link
109
# bug 3896: URIs in various TLDs, other than 3rd level www
110
uri URI_NO_WWW_INFO_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
111
describe URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www"
113
uri URI_NO_WWW_BIZ_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.biz\/(?=\S{15,})\S*\?/i
114
describe URI_NO_WWW_BIZ_CGI CGI in .biz TLD other than third-level "www"
116
###########################################################################
118
uri NORMAL_HTTP_TO_IP m{^https?://\d+\.\d+\.\d+\.\d+}i
119
describe NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL