You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by fe...@apache.org on 2007/01/01 02:15:43 UTC
svn commit: r491517 - /spamassassin/rules/branches/3.1/80_additional.cf
Author: felicity
Date: Sun Dec 31 17:15:43 2006
New Revision: 491517
URL: http://svn.apache.org/viewvc?view=rev&rev=491517
Log:
rearrange rules into the original sections, add in TVD_RCVD_SPACE_BRACKET rule
Modified:
spamassassin/rules/branches/3.1/80_additional.cf
Modified: spamassassin/rules/branches/3.1/80_additional.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/branches/3.1/80_additional.cf?view=diff&rev=491517&r1=491516&r2=491517
==============================================================================
--- spamassassin/rules/branches/3.1/80_additional.cf (original)
+++ spamassassin/rules/branches/3.1/80_additional.cf Sun Dec 31 17:15:43 2006
@@ -192,6 +192,67 @@
uri __TVD_INT_CID /^cid:/i
meta TVD_FW_GRAPHIC_ID3 __TVD_OUTLOOK_IMG && __TVD_INT_CID && !__UNUSABLE_MSGID && ! (__OE_MSGID_2 || __IMS_MSGID )
+header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
+describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
+
+header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
+header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
+meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
+describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
+
+# Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
+header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
+describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
+
+header OUTLOOK_3416 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.3416$/
+describe OUTLOOK_3416 Claims to be sent by an unusual build of Outlook (3416)
+
+# this seems to appear with a faked 'Microsoft Office Outlook' X-Mailer
+header MID_14DIGITS_HEX Message-ID =~ /^<[0-9]{14}\.[A-F0-9]{10}\@[0-9A-Z]+$/
+
+meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 )
+
+meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
+describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
+
+meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
+describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
+
+header __HAS_OUTLOOK_IN_MAILER_NEW X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
+
+meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__HAS_OUTLOOK_IN_MAILER_NEW&&__HTML_LENGTH_1536_2048)
+describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
+
+# Spammy X-Mailer version strings; no longer seen in ham, due to MS'
+# auto-updates, but still appearing in plenty of spam template text
+header __XM_OL_29196700 X-Mailer =~ /^Microsoft Outlook Express 5.00.2919.6700$/
+header __XM_OL_41332400 X-Mailer =~ /^Microsoft Outlook Express 5.50.4133.2400$/
+header __XM_OL_48071700 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.1700$/
+header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
+header __XM_OL_29196600 X-Mailer =~ /^Microsoft Outlook Express 5.00.2919.6600$/
+header __XM_OL_49631700 X-Mailer =~ /^Microsoft Outlook Express 5.50.4963.1700$/
+header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
+header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
+header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
+header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
+meta SPAMMY_XMAILER (__XM_OL_29196700||__XM_OL_41332400||__XM_OL_48071700||__XM_OL_28001441||__XM_OL_29196600||__XM_OL_49631700||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
+describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
+
+header __HELO_NO_DOMAIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
+
+meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
+describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
+
+# "Tora" spam
+header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
+header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
+header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
+meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
+
+header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
+describe TVD_RCVD_SPACE_BRACKET Received header has a spammy looking section
+
+
###########################################################################
# ReplaceTags rules
@@ -239,7 +300,6 @@
endif
-
###########################################################################
# MIMEHeader Rules
@@ -255,12 +315,6 @@
mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
-endif
-
-###########################################################################
-
-# backports from rulesrc/sandbox/jm/20_basic.cf
-ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
@@ -276,89 +330,13 @@
endif # Mail::SpamAssassin::Plugin::MIMEHeader
-header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
-describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
-
-header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
-header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
-meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
-describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
-
-# Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
-header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
-describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
-
-header OUTLOOK_3416 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.3416$/
-describe OUTLOOK_3416 Claims to be sent by an unusual build of Outlook (3416)
-
-# this seems to appear with a faked 'Microsoft Office Outlook' X-Mailer
-header MID_14DIGITS_HEX Message-ID =~ /^<[0-9]{14}\.[A-F0-9]{10}\@[0-9A-Z]+$/
-
-meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 )
-
-meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
-describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
-
-meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
-describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
-
-header __HAS_OUTLOOK_IN_MAILER_NEW X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
-
-meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__HAS_OUTLOOK_IN_MAILER_NEW&&__HTML_LENGTH_1536_2048)
-describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
-
-# Spammy X-Mailer version strings; no longer seen in ham, due to MS'
-# auto-updates, but still appearing in plenty of spam template text
-header __XM_OL_29196700 X-Mailer =~ /^Microsoft Outlook Express 5.00.2919.6700$/
-header __XM_OL_41332400 X-Mailer =~ /^Microsoft Outlook Express 5.50.4133.2400$/
-header __XM_OL_48071700 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.1700$/
-header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
-header __XM_OL_29196600 X-Mailer =~ /^Microsoft Outlook Express 5.00.2919.6600$/
-header __XM_OL_49631700 X-Mailer =~ /^Microsoft Outlook Express 5.50.4963.1700$/
-header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
-header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
-header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
-header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
-meta SPAMMY_XMAILER (__XM_OL_29196700||__XM_OL_41332400||__XM_OL_48071700||__XM_OL_28001441||__XM_OL_29196600||__XM_OL_49631700||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
-describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
-
-header __HELO_NO_DOMAIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
-
-meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
-describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
-
-# "Tora" spam
-header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
-header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
-header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
-meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
-
-# <gen:mutable>
-score MID_14DIGITS_HEX 2.8
-score OUTLOOK_3416 2.0
-score RCVD_MAIL_COM 3.0
-score DRUGS_STOCK_MIMEOLE 2.0
-score RCVD_FORGED_WROTE 2.8
-score STOCK_IMG_HDR_FROM 1.0
-score STOCK_IMG_HTML 1.0
-score STOCK_IMG_OUTLOOK 1.0
-score SPAMMY_XMAILER 1.0
-score SHORT_HELO_AND_INLINE_IMAGE 1.0
-score JM_TORA_XM 2.5
-# </gen:mutable>
-
-ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-# <gen:mutable>
-score PART_CID_STOCK_LESS 1.0
-score PART_CID_STOCK 1.0
-# </gen:mutable>
-endif # Mail::SpamAssassin::Plugin::MIMEHeader
-
###########################################################################
# SCORES
-ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
+score PART_CID_STOCK_LESS 1.0
+score PART_CID_STOCK 1.0
score TVD_FW_GRAPHIC_ID1 2.1
score TVD_FW_GRAPHIC_ID2 2.1
score TVD_FW_GRAPHIC_NAME_LONG 1.8
@@ -368,50 +346,62 @@
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
# <gen:mutable>
-score TVD_FUZZY_FINANCE 2.0
-score TVD_FUZZY_FIXED_RATE 2.0
-score TVD_FUZZY_MICROCAP 2.2
-score TVD_FUZZY_PHARMACEUTICAL 2.0
-score TVD_FUZZY_SECURITIES 1.8
-score TVD_FUZZY_SYMBOL 1.8
-score FUZZY_MERIDIA 2.0
-score TVD_FUZZY_DEGREE 2.0
+score TVD_FUZZY_FINANCE 2.0
+score TVD_FUZZY_FIXED_RATE 2.0
+score TVD_FUZZY_MICROCAP 2.2
+score TVD_FUZZY_PHARMACEUTICAL 2.0
+score TVD_FUZZY_SECURITIES 1.8
+score TVD_FUZZY_SYMBOL 1.8
+score FUZZY_MERIDIA 2.0
+score TVD_FUZZY_DEGREE 2.0
# </gen:mutable>
endif
# <gen:mutable>
-score NULL_IN_BODY 2.2
-score HS_EXTRA 1.2
-score DEAR_WINNER 2.0
-score DRUGS_HDIA 2.0
-score TVD_SUBJ_ACC_NUM 1.8
-score TVD_SUBJ_APPR_LOAN 2.0
-score TVD_SUBJ_OWE 2.4
-score TVD_SUBJ_WIPE_DEBT 2.0
-score TVD_UNDER_VALUED 1.8
-score VERTICAL_DRUGS_1 2.2
-score TVD_SECTION 2.5
-score TVD_HEAD_EDITION 1.0
-score TVD_HEAD_USR 1.0
-score TVD_INCREASE_SIZE 2.2
-score TVD_NOT_SATISFIED 2.0
-score HS_GETMEOFF 2.0
+score NULL_IN_BODY 2.2
+score HS_EXTRA 1.2
+score DEAR_WINNER 2.0
+score DRUGS_HDIA 2.0
+score TVD_SUBJ_ACC_NUM 1.8
+score TVD_SUBJ_APPR_LOAN 2.0
+score TVD_SUBJ_OWE 2.4
+score TVD_SUBJ_WIPE_DEBT 2.0
+score TVD_UNDER_VALUED 1.8
+score VERTICAL_DRUGS_1 2.2
+score TVD_SECTION 2.5
+score TVD_HEAD_EDITION 1.0
+score TVD_HEAD_USR 1.0
+score TVD_INCREASE_SIZE 2.2
+score TVD_NOT_SATISFIED 2.0
+score HS_GETMEOFF 2.0
score HS_SUBJ_ONLINE_PHARMACEUTICAL 2.0
-score KAM_STOCKOTC 1.0
-score SUBJ_RE_NUM 1.2
-score TVD_ACT_193 2.0
-score TVD_DEAR_HOMEOWNER 2.0
-score TVD_DOLLARS_US 1.2
-score TVD_EB_PHISH 2.0
-score TVD_SINGLE_SPAN_DIV 1.8
-score TVD_UA_FOSTERING 2.0
-score TVD_FINGER_01 2.0
-score TVD_SUBJ_FINGER_03 2.0
-score TVD_STOCK1 2.4
-score TVD_VIS_HIDDEN 2.4
-score TVD_SPACED_SUBJECT_WORD 2.0
-score TVD_SPACED_WORDS 2.2
-score TVD_PH_SUBJ_URGENT 2.0
-score TVD_FLOAT_GENERAL 2.0
-score TVD_FW_GRAPHIC_ID3 2.0
+score KAM_STOCKOTC 1.0
+score SUBJ_RE_NUM 1.2
+score TVD_ACT_193 2.0
+score TVD_DEAR_HOMEOWNER 2.0
+score TVD_DOLLARS_US 1.2
+score TVD_EB_PHISH 2.0
+score TVD_SINGLE_SPAN_DIV 1.8
+score TVD_UA_FOSTERING 2.0
+score TVD_FINGER_01 2.0
+score TVD_SUBJ_FINGER_03 2.0
+score TVD_STOCK1 2.4
+score TVD_VIS_HIDDEN 2.4
+score TVD_SPACED_SUBJECT_WORD 2.0
+score TVD_SPACED_WORDS 2.2
+score TVD_PH_SUBJ_URGENT 2.0
+score TVD_FLOAT_GENERAL 2.0
+score TVD_FW_GRAPHIC_ID3 2.0
+score TVD_RCVD_SPACE_BRACKET 1.2
+score MID_14DIGITS_HEX 2.8
+score OUTLOOK_3416 2.0
+score RCVD_MAIL_COM 3.0
+score DRUGS_STOCK_MIMEOLE 2.0
+score RCVD_FORGED_WROTE 2.8
+score STOCK_IMG_HDR_FROM 1.0
+score STOCK_IMG_HTML 1.0
+score STOCK_IMG_OUTLOOK 1.0
+score SPAMMY_XMAILER 1.0
+score SHORT_HELO_AND_INLINE_IMAGE 1.0
+score JM_TORA_XM 2.5
# </gen:mutable>