# HAVENURLS-0604.rc
#
# Recent URLs seen in spam, at domains that are not spammers themselves.
#
# Last updated: 4/16/2006

:0 B
* !--.*forwarded message --
* !^forwarded message:
* -1000^0
*  1100^0 (^|[^0-9a-z]|=3D)http://meguriai77(ÿ|\.|[=%]2E)gotdns(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^0-9a-z]|=3D)http://geocities(ÿ|\.|[=%]2E)com/aC1pmub3G2k([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^0-9a-z]|=3D)http://%73%69%73%69%68%61%6A%69%2E%6E%65%74/
*  1100^0 (^|[^0-9a-z]|=3D)http://plus520(ÿ|\.|[=%]2E)myweb(ÿ|\.|[=%]2E)hinet(ÿ|\.|[=%]2E)net/cd/aspsoho(ÿ|\.|[=%]2E)htm([^a-z0-9.]|\. |\.$|$)
*  1100^0 (^|[^0-9a-z]|=3D)http://sexxy(ÿ|\.|[=%]2E)redirect(ÿ|\.|[=%]2E)hm/
*  1100^0 (^|[^0-9a-z]|=3D)http://www(ÿ|\.|[=%]2E)w(e|%65)b%68%41%72%44(ÿ|\.|[=%]2E)(c|%63)(o|%6F)(m|%6D)([^a-z0-9.]|\. |\.$|$)
{ LOCALTAG=yes }

# Encoded Spam Domains
#
#   Lots of spammers using this to evade SURBL and other message
#   body URI patterns.
#
:0 B
* !--.*forwarded message --
* !^forwarded message:
* -1000^0
*  1100^0  (^|[^0-9a-z]|=3D)%73%2Dv%63%64(ÿ|\.|[=%]2E)(c|%63)(o|%6F)(m|%6D)([^a-z0-9.]|\. |\.$|$)
*  1100^0  (^|[^0-9a-z]|=3D)%72%75%6D%61%74%61%2E%72%75([^a-z0-9.]|\. |\.$|$)
*  1100^0  (^|[^0-9a-z]|=3D)(c|%63)(a|%41)(f|%66)(e|%65)24(ÿ|\.|[=%]2E)(c|%63)(o|%6F)(m|%6D)([^a-z0-9.]|\. |\.$|$)
*  1100^0  (^|[^0-9a-z]|=3D)(n|%6e)(u|%75)(r|%72)(i|%69)(ÿ|\.|[=%]2E)(c|%63)(c|%63)([^a-z0-9.]|\. |\.$|$)
*  1100^0  (^|[^0-9a-z]|=3D)(c|%63)(o|%6f)(d|%64)(n|%6e)(s|%73)(ÿ|\.|[=%]2E)(c|%63)(o|%6f)(m|%6d)([^a-z0-9.]|\. |\.$|$)
*  1100^0  (^|[^0-9a-z]|=3D)(d|%64)(m|%6D)(s|%73)(u|%75)(p|%70)(e|%65)(r|%72)(ÿ|\.|[=%]2E)(c|%63)(o|%6F)(m|%6D)([^a-z0-9.]|\. |\.$|$)
{ LOCALTAG=yes }