svn commit: r1858297 - in /spamassassin/trunk/rulesrc/sandbox/pds: 20_gdocs.cf 20_ntld.cf

[pd...@apache.org]

Author: pds
Date: Sat Apr 27 22:22:43 2019
New Revision: 1858297

URL: http://svn.apache.org/viewvc?rev=1858297&view=rev
Log:
Add abused NTLDs for scoring

Added:
    spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf
    spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf

Added: spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf?rev=1858297&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf Sat Apr 27 22:22:43 2019
@@ -0,0 +1,24 @@
+header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
+reuse  __PDS_GOOGLE_DRIVE_SHARE_1
+
+header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
+reuse  __PDS_GOOGLE_DRIVE_SHARE_2
+
+header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
+reuse  __PDS_GOOGLE_DRIVE_SHARE_3
+
+meta     __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
+reuse    __PDS_GOOGLE_DRIVE_SHARE
+
+meta     GOOGLE_DRIVE_DEAR_SOMETHING __PDS_GOOGLE_DRIVE_SHARE && DEAR_SOMETHING
+describe GOOGLE_DRIVE_DEAR_SOMETHING From Google Drive and generic Dear (something)
+score    GOOGLE_DRIVE_DEAR_SOMETHING 2.0 # limit
+reuse    GOOGLE_DRIVE_DEAR_SOMETHING
+
+uri      __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i
+reuse    __PDS_GOOGLE_DRIVE_FILE
+
+meta     SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC)
+describe SHORT_BODY_G_DRIVE Short body with Google Drive link and dynamic looking sender
+score    SHORT_BODY_G_DRIVE 1.5 # limit
+reuse    SHORT_BODY_G_DRIVE

Added: spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf?rev=1858297&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf Sat Apr 27 22:22:43 2019
@@ -0,0 +1,44 @@
+if (version >= 3.004002)
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+
+enlist_addrlist (SUSP_NTLD) *@*.icu
+enlist_addrlist (SUSP_NTLD) *@*.online
+enlist_addrlist (SUSP_NTLD) *@*.work
+enlist_addrlist (SUSP_NTLD) *@*.date
+enlist_addrlist (SUSP_NTLD) *@*.top
+enlist_addrlist (SUSP_NTLD) *@*.life
+enlist_addrlist (SUSP_NTLD) *@*.review
+enlist_addrlist (SUSP_NTLD) *@*.xyz
+
+header   __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
+reuse    __FROM_ADDRLIST_SUSPNTLD
+
+header   __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
+reuse    __REPLYTO_ADDRLIST_SUSPNTLD
+
+meta     FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
+tflags   FROM_SUSPICIOUS_NTLD publish
+describe FROM_SUSPICIOUS_NTLD From abused NTLD
+score    FROM_SUSPICIOUS_NTLD 0.5 # limit
+reuse    FROM_SUSPICIOUS_NTLD
+
+meta     FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && FROM_SUSPICIOUS_NTLD
+tflags   FROM_NTLD_REPLY_FREEMAIL publish
+describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
+score    FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
+reuse    FROM_NTLD_REPLY_FREEMAIL
+
+meta     FROM_NTLD_LINKBAIT __KAM_BODY_LENGTH_LT_512 && FROM_SUSPICIOUS_NTLD && __BODY_URI_ONLY
+tflags   FROM_NTLD_LINKBAIT publish
+describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
+score    FROM_NTLD_LINKBAIT 2.0 # limit
+reuse    FROM_NTLD_LINKBAIT
+
+meta     GOOGLE_DRIVE_REPLY_BAD_NTLD __GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
+tflags   GOOGLE_DRIVE_REPLY_BAD_NTLD publish
+describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and From is from a BAD_TLD
+score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
+reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD
+
+endif
+endif