You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by pd...@apache.org on 2019/04/27 22:22:44 UTC
svn commit: r1858297 - in /spamassassin/trunk/rulesrc/sandbox/pds:
20_gdocs.cf 20_ntld.cf
Author: pds
Date: Sat Apr 27 22:22:43 2019
New Revision: 1858297
URL: http://svn.apache.org/viewvc?rev=1858297&view=rev
Log:
Add abused NTLDs for scoring
Added:
spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf
spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
Added: spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf?rev=1858297&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_gdocs.cf Sat Apr 27 22:22:43 2019
@@ -0,0 +1,24 @@
+header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
+reuse __PDS_GOOGLE_DRIVE_SHARE_1
+
+header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
+reuse __PDS_GOOGLE_DRIVE_SHARE_2
+
+header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
+reuse __PDS_GOOGLE_DRIVE_SHARE_3
+
+meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
+reuse __PDS_GOOGLE_DRIVE_SHARE
+
+meta GOOGLE_DRIVE_DEAR_SOMETHING __PDS_GOOGLE_DRIVE_SHARE && DEAR_SOMETHING
+describe GOOGLE_DRIVE_DEAR_SOMETHING From Google Drive and generic Dear (something)
+score GOOGLE_DRIVE_DEAR_SOMETHING 2.0 # limit
+reuse GOOGLE_DRIVE_DEAR_SOMETHING
+
+uri __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i
+reuse __PDS_GOOGLE_DRIVE_FILE
+
+meta SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC)
+describe SHORT_BODY_G_DRIVE Short body with Google Drive link and dynamic looking sender
+score SHORT_BODY_G_DRIVE 1.5 # limit
+reuse SHORT_BODY_G_DRIVE
Added: spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf?rev=1858297&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/pds/20_ntld.cf Sat Apr 27 22:22:43 2019
@@ -0,0 +1,44 @@
+if (version >= 3.004002)
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+
+enlist_addrlist (SUSP_NTLD) *@*.icu
+enlist_addrlist (SUSP_NTLD) *@*.online
+enlist_addrlist (SUSP_NTLD) *@*.work
+enlist_addrlist (SUSP_NTLD) *@*.date
+enlist_addrlist (SUSP_NTLD) *@*.top
+enlist_addrlist (SUSP_NTLD) *@*.life
+enlist_addrlist (SUSP_NTLD) *@*.review
+enlist_addrlist (SUSP_NTLD) *@*.xyz
+
+header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
+reuse __FROM_ADDRLIST_SUSPNTLD
+
+header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
+reuse __REPLYTO_ADDRLIST_SUSPNTLD
+
+meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
+tflags FROM_SUSPICIOUS_NTLD publish
+describe FROM_SUSPICIOUS_NTLD From abused NTLD
+score FROM_SUSPICIOUS_NTLD 0.5 # limit
+reuse FROM_SUSPICIOUS_NTLD
+
+meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && FROM_SUSPICIOUS_NTLD
+tflags FROM_NTLD_REPLY_FREEMAIL publish
+describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
+score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
+reuse FROM_NTLD_REPLY_FREEMAIL
+
+meta FROM_NTLD_LINKBAIT __KAM_BODY_LENGTH_LT_512 && FROM_SUSPICIOUS_NTLD && __BODY_URI_ONLY
+tflags FROM_NTLD_LINKBAIT publish
+describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
+score FROM_NTLD_LINKBAIT 2.0 # limit
+reuse FROM_NTLD_LINKBAIT
+
+meta GOOGLE_DRIVE_REPLY_BAD_NTLD __GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
+tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
+describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and From is from a BAD_TLD
+score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
+reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
+
+endif
+endif