You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2021/01/25 18:21:00 UTC
svn commit: r1885904 - in /spamassassin/trunk/rulesrc/sandbox/jhardin:
20_fillform.cf 20_misc_testing.cf
Author: jhardin
Date: Mon Jan 25 18:21:00 2021
New Revision: 1885904
URL: http://svn.apache.org/viewvc?rev=1885904&view=rev
Log:
More phishing rule tweaks
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf?rev=1885904&r1=1885903&r2=1885904&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_fillform.cf Mon Jan 25 18:21:00 2021
@@ -99,7 +99,7 @@ ifplugin Mail::SpamAssassin::Plugin::Rep
body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
- meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY
+ meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
#score FILL_THIS_FORM_FRAUD_PHISH 1.50
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1885904&r1=1885903&r2=1885904&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Jan 25 18:21:00 2021
@@ -1334,7 +1334,7 @@ body __SUSPICION_LOGIN /\bsusp
meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
-meta ACCT_PHISHING (__ACCT_PHISH || __EMAIL_PHISH) && !__RCD_RDNS_SMTP_MESSY && !ACCT_PHISHING_MANY
+meta ACCT_PHISHING (__ACCT_PHISH || __EMAIL_PHISH) && !ACCT_PHISHING_MANY && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MTA_MESSY && !__STY_INVIS_MANY
describe ACCT_PHISHING Possible phishing for account information
score ACCT_PHISHING 1.500 # limit
meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY